CVE-2026-33713

Received Received - Intake

SQL Injection in n8n Data Table Get Node Enables Data Manipulation

Publication date: 2026-03-25

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-25

Last Modified

2026-03-27

Generated

2026-06-16

AI Q&A

2026-03-26

EPSS Evaluated

2026-06-14

NVD

CVE-2026-33713

EUVD

EUVD-2026-15947

Affected Vendors & Products

Vendor	Product	Version / Range
n8n	n8n	From 2.0.0 (inc) to 2.13.3 (exc)
n8n	n8n	2.14.0
n8n	n8n	to 1.123.26 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The provided information does not specify how this SQL injection vulnerability in n8n affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-33713 is a high-severity SQL injection vulnerability in the n8n workflow automation platform, specifically affecting the Data Table Get node.

An authenticated user with permission to create or modify workflows can manipulate the `orderByColumn` expression to inject SQL commands.

The impact varies depending on the database backend: on the default SQLite database, only single SQL statements can be executed, limiting the attack surface; on PostgreSQL deployments, multi-statement execution is possible, allowing attackers to modify or delete data.

The vulnerability requires low privileges, no user interaction, and can be exploited remotely over the network.

It has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1.

Impact Analysis

This vulnerability can lead to unauthorized data modification or deletion, especially on PostgreSQL deployments where multi-statement SQL execution is possible.

An attacker with workflow editing permissions can exploit this flaw remotely without user interaction, potentially compromising the confidentiality, integrity, and availability of your data.

Data modification
Data deletion
Potential disruption of workflow automation processes

Detection Guidance

Detection of this vulnerability involves auditing n8n workflows for the presence of the Data Table Get node where the `orderByColumn` parameter is set to an expression that incorporates external or user-supplied input.

Since the vulnerability requires an authenticated user with permissions to create or modify workflows, reviewing workflow configurations and permissions is essential.

There are no specific commands provided in the available information to detect exploitation attempts or the vulnerability directly on the network or system.

Mitigation Strategies

The primary mitigation is to upgrade n8n to a patched version: 1.123.26, 2.13.3, 2.14.1, or later.

Limit workflow creation and editing permissions to fully trusted users only.
Disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable.
Review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression involving external or user-supplied input.

Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures until an upgrade can be performed.

Hi! I’m here to help you understand CVE-2026-33713. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-33713

SQL Injection in n8n Data Table Get Node Enables Data Manipulation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart