CVE-2026-54310
Received Received - Intake
SQL Injection in n8n Workflow Automation Platform

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows could supply a crafted parameters to the TimescaleDB and/or legacy Postgres v1 node's allowing arbitrary SQL to be injected and executed against the connected database within the privileges of the configured database account. This vulnerability is fixed in 2.25.7 and 2.26.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54310
EUVD
EUVD-2026-38470
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
n8n-io n8n to 2.25.7|end_excluding=2.26.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54310 is a SQL injection vulnerability in the n8n workflow automation platform, specifically affecting the Postgres v1 and TimescaleDB nodes in versions prior to 2.25.7 and 2.26.2.

An authenticated user who has permission to create or modify workflows can exploit this vulnerability by supplying specially crafted parameters that inject malicious SQL queries.

These injected SQL queries are executed with the privileges of the configured database account, potentially allowing unauthorized database operations.

The vulnerability is classified as CWE-89, which relates to improper neutralization of SQL special elements.

Compliance Impact

The SQL injection vulnerability in n8n allows an authenticated user to execute arbitrary SQL commands with the privileges of the configured database account, which can lead to unauthorized access, modification, or deletion of sensitive data.

Such unauthorized access and potential data compromise can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding the confidentiality, integrity, and availability of personal and sensitive information.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to potential data breaches or unauthorized data manipulation.

Impact Analysis

This vulnerability can have a moderate impact with high consequences on confidentiality, integrity, and availability of your database.

  • An attacker with workflow creation or modification permissions could execute arbitrary SQL commands on your database.
  • This could lead to unauthorized data access, data modification, or disruption of database services.
  • Since the SQL commands run with the privileges of the configured database account, the attacker could potentially escalate their impact depending on those privileges.
Detection Guidance

Detection of this vulnerability involves identifying if your n8n instance is running a vulnerable version prior to 2.25.7 or 2.26.2 and if the Postgres v1 or TimescaleDB nodes are in use.

Since the vulnerability requires an authenticated user with workflow creation or modification permissions to inject SQL, monitoring for unusual or unexpected SQL queries executed by these nodes could indicate exploitation attempts.

There are no specific commands provided in the resources to detect exploitation directly, but general steps include:

  • Check the n8n version by running: `n8n --version` or checking the application metadata.
  • Audit database logs for suspicious or unexpected SQL queries originating from the Postgres v1 or TimescaleDB nodes.
  • Review workflow creation and modification logs for unauthorized or unusual activity.
Mitigation Strategies

Immediate mitigation steps include upgrading n8n to version 2.25.7 or 2.26.2 where the vulnerability is fixed.

If upgrading immediately is not possible, temporary mitigations are:

  • Restrict workflow creation and modification permissions to trusted users only.
  • Disable the affected Postgres v1 and TimescaleDB nodes by setting the environment variable `NODES_EXCLUDE` to exclude these nodes.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54310. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart