An attacker with write access to the git repository connected to an n8n Source Control configuration can commit a malicious Data Table JSON file that contains a crafted column name. When an administrator performs a Source Control Pull, n8n imports the file and constructs an SQL statement using that column name, which can result in SQL injection on the internal PostgreSQL instance. This allows the attacker to read, modify, or delete data in the database, or potentially elevate privileges. The flaw affects n8n versions prior to 1.123.43, 2.22.1, and 2.20.7, and requires that the instance uses PostgreSQL as its database backend.

The vulnerability affects n8n versions prior to 1.123.43, 2.22.1, and 2.20.7. Any instance running those releases with the Source Control feature enabled, connected to a repository the attacker can write to, and using PostgreSQL as its database backend is susceptible.

The CVSS score of 8.9 indicates high severity, and the vulnerability is not listed in CISA’s KEV catalog. Although the EPSS score is not available, the required conditions—write access to a Source Control repository, the feature being enabled, and an administrator triggering a pull—are sufficiently tangible to make exploitation plausible. The attack vector is internal to the n8n instance, but an attacker with repository write privileges can manipulate the system without needing direct access to the server.