Impact
n8n is an open source workflow automation platform. Prior to releases 1.123.43, 2.22.1, and 2.20.7, an attacker who can write to the git repository linked to an n8n Source Control configuration can commit a malicious Data Table JSON file that contains a crafted column name. When an administrator executes a Source Control Pull, n8n imports the JSON file and constructs an SQL statement that incorporates the malicious column name, which can lead to injection against the internal PostgreSQL database. The vulnerability requires the instance to use PostgreSQL, have Source Control enabled, and for the attacker to have write access to the connected repository. If these conditions are met and an administrator triggers a pull, the attacker can read, modify, or delete data in the database and possibly elevate privileges.
Affected Systems
The vulnerability affects all n8n instances running versions prior to 1.123.43, 2.22.1, and 2.20.7. Any instance with Source Control enabled, connected to a repository the attacker can write to, and using PostgreSQL as its database backend is susceptible.
Risk and Exploitability
The CVSS score of 8.9 indicates high severity. The vulnerability is not listed in CISA’s KEV catalog and its EPSS score is not available. However, the required conditions—repository write access, Source Control enabled, and an administrator initiating a pull—make exploitation plausible. The attack vector is within the n8n instance; an attacker with repository write privileges can manipulate the system without needing direct server access.
OpenCVE Enrichment
Github GHSA