CVE-2026-33713
SQL Injection in n8n Data Table Get Node Enables Data Manipulation
Publication date: 2026-03-25
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | From 2.0.0 (inc) to 2.13.3 (exc) |
| n8n | n8n | 2.14.0 |
| n8n | n8n | to 1.123.26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33713 is a high-severity SQL injection vulnerability in the n8n workflow automation platform, specifically affecting the Data Table Get node.
An authenticated user with permission to create or modify workflows can manipulate the `orderByColumn` expression to inject SQL commands.
The impact varies depending on the database backend: on the default SQLite database, only single SQL statements can be executed, limiting the attack surface; on PostgreSQL deployments, multi-statement execution is possible, allowing attackers to modify or delete data.
The vulnerability requires low privileges, no user interaction, and can be exploited remotely over the network.
It has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized data modification or deletion, especially on PostgreSQL deployments where multi-statement SQL execution is possible.
An attacker with workflow editing permissions can exploit this flaw remotely without user interaction, potentially compromising the confidentiality, integrity, and availability of your data.
- Data modification
- Data deletion
- Potential disruption of workflow automation processes
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves auditing n8n workflows for the presence of the Data Table Get node where the `orderByColumn` parameter is set to an expression that incorporates external or user-supplied input.
Since the vulnerability requires an authenticated user with permissions to create or modify workflows, reviewing workflow configurations and permissions is essential.
There are no specific commands provided in the available information to detect exploitation attempts or the vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade n8n to a patched version: 1.123.26, 2.13.3, 2.14.1, or later.
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable.
- Review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression involving external or user-supplied input.
Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures until an upgrade can be performed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this SQL injection vulnerability in n8n affects compliance with common standards and regulations such as GDPR or HIPAA.