CVE-2026-27497

Received Received - Intake

Arbitrary Code Execution via Merge Node SQL Injection in n8n

Publication date: 2026-02-25

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-25

Last Modified

2026-03-04

Generated

2026-06-16

AI Q&A

2026-02-26

EPSS Evaluated

2026-06-15

NVD

CVE-2026-27497

EUVD

EUVD-2026-8759

Affected Vendors & Products

Vendor	Product	Version / Range
n8n	n8n	to 1.123.22 (exc)
n8n	n8n	From 2.0.0 (inc) to 2.9.3 (exc)
n8n	n8n	From 2.10.0 (inc) to 2.10.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-94	The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

Executive Summary

This vulnerability affects the n8n workflow automation platform. Before certain fixed versions, an authenticated user who has permission to create or modify workflows could exploit the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server.

This means that a user with limited permissions could potentially run harmful commands or alter files on the server hosting n8n, which could compromise the system.

The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Until upgrading, administrators are advised to restrict workflow creation and editing permissions to fully trusted users and/or disable the Merge node as a temporary mitigation.

Impact Analysis

If exploited, this vulnerability allows an authenticated user with workflow creation or modification permissions to execute arbitrary code and write arbitrary files on the n8n server.

Execution of arbitrary code could lead to full system compromise.
Writing arbitrary files could allow attackers to alter or inject malicious files, potentially leading to data loss, data corruption, or further exploitation.
The overall impact could include unauthorized access, data breaches, service disruption, and loss of control over the affected system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade n8n to version 2.10.1, 2.9.3, 1.123.22, or later.

If upgrading is not immediately possible, consider the following temporary mitigations:

Limit workflow creation and editing permissions to fully trusted users only.
Disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable.

Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Hi! I’m here to help you understand CVE-2026-27497. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-27497

Arbitrary Code Execution via Merge Node SQL Injection in n8n

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart