Description
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-03-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Data manipulation via SQL injection
Action: Patch immediately
AI Analysis

Impact

The vulnerability arises from the orderByColumn expression in the Data Table Get node of n8n, where external or user-supplied input is concatenated directly into an SQL statement. This omission of proper sanitization enables an attacker to inject arbitrary SQL. When executed against SQLite the injection is limited to single statements, but on PostgreSQL the attacker can submit multiple statements, allowing modification or deletion of data. The weakness aligns with CWE‑89: Improper Neutralization of Special Elements used in an SQL Command.

Affected Systems

Affected users are running n8n versions prior to 1.123.26, 2.13.3, or 2.14.1. The impact is only present when the Data Table Get node is enabled and the database is SQLite or PostgreSQL. The attacker must have authenticated access that permits creating or editing workflows, as the vulnerability is triggered by supplying a crafted expression in the node configuration.

Risk and Exploitability

The CVSS base score of 8.7 classifies the flaw as high severity, while the EPSS score of less than 1% indicates a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate user credentials with workflow‑edit rights; once achieved, the attacker can inject SQL targeting the configured database. Mitigations such as limiting workflow‑edit permissions, excluding the Data Table node, or reviewing existing workflows provide short‑term protection but do not constitute a full fix.

Generated by OpenCVE AI on March 27, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update n8n to version 1.123.26, 2.13.3, or 2.14.1 or later.
  • Restrict workflow creation and editing permissions to fully trusted users only.
  • Disable the Data Table node by setting the NODES_EXCLUDE environment variable to include n8n-nodes-base.dataTable.
  • Review existing workflows for Data Table Get nodes and modify or remove any instances where orderByColumn is set to an expression that incorporates external input.

Generated by OpenCVE AI on March 27, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-98c2-4cr3-4jc3 n8n has SQL Injection in Data Table Node via orderByColumn Expression
History

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
cpe:2.3:a:n8n:n8n:2.14.0:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T18:06:45.269Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33713

cve-icon Vulnrichment

Updated: 2026-03-25T18:05:36.306Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T18:16:32.700

Modified: 2026-03-27T19:39:36.813

Link: CVE-2026-33713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:16Z

Weaknesses