CVE-2026-59257
Undergoing Analysis Undergoing Analysis - In Progress

SQL Injection in n8n Legacy MySQL Node

Vulnerability report for CVE-2026-59257, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.61 (exc)
n8n n8n to 2.27.4 (exc)
n8n n8n From 2.28.0 (inc) to 2.28.1 (exc)
n8n n8n to 2.28.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59257 is a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation in n8n versions before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1.

The vulnerability occurs because the operation substitutes evaluated expression values ({{ ... }}) directly into raw SQL strings without parameterization, allowing attacker-controlled input to inject malicious SQL commands.

If a workflow using this node is connected to an externally reachable trigger such as a Webhook node, attackers can exploit this to execute arbitrary SQL commands with the privileges of the configured MySQL credentials.

The MySQL v2 node, which uses parameterized queries, is not affected by this vulnerability.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary SQL commands on the database with the privileges of the configured MySQL credentials.

Potential impacts include unauthorized access to sensitive data, modification or deletion of data, and compromise of the confidentiality and integrity of downstream systems.

Because the vulnerability can be exploited via externally reachable triggers like Webhook nodes, it increases the risk of remote attacks.

Mitigation Strategies

To mitigate the SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation in n8n, you should take the following immediate steps:

  • Upgrade n8n to versions 1.123.61, 2.27.4, or 2.28.1 or later, where the vulnerability has been patched.
  • Disable the MySQL v1 node to prevent usage of the vulnerable operation.
  • Restrict access to workflows that use the vulnerable MySQL v1 node, especially those connected to externally reachable triggers like Webhook nodes.
  • Migrate workflows from the MySQL v1 node to the MySQL v2 node, which uses parameterized queries and is not affected by this vulnerability.
Compliance Impact

This vulnerability allows attackers to perform SQL injection attacks that can lead to unauthorized access, modification, or deletion of data using the privileges of the configured MySQL credentials.

Such unauthorized data access and potential data breaches could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding the confidentiality and integrity of sensitive information.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart