Description
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection on the internal PostgreSQL instance. Exploitation requires the n8n instance uses PostgreSQL as its database backend, the Source Control feature is enabled and connected to a repository the attacker can write to, and an administrator triggers a Source Control Pull. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Published: 2026-06-23
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n is an open source workflow automation platform. Prior to releases 1.123.43, 2.22.1, and 2.20.7, an attacker who can write to the git repository linked to an n8n Source Control configuration can commit a malicious Data Table JSON file that contains a crafted column name. When an administrator executes a Source Control Pull, n8n imports the JSON file and constructs an SQL statement that incorporates the malicious column name, which can lead to injection against the internal PostgreSQL database. The vulnerability requires the instance to use PostgreSQL, have Source Control enabled, and for the attacker to have write access to the connected repository. If these conditions are met and an administrator triggers a pull, the attacker can read, modify, or delete data in the database and possibly elevate privileges.

Affected Systems

The vulnerability affects all n8n instances running versions prior to 1.123.43, 2.22.1, and 2.20.7. Any instance with Source Control enabled, connected to a repository the attacker can write to, and using PostgreSQL as its database backend is susceptible.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity. The vulnerability is not listed in CISA’s KEV catalog and its EPSS score is not available. However, the required conditions—repository write access, Source Control enabled, and an administrator initiating a pull—make exploitation plausible. The attack vector is within the n8n instance; an attacker with repository write privileges can manipulate the system without needing direct server access.

Generated by OpenCVE AI on June 24, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.123.43 or newer, 2.22.1, or 2.20.7
  • Restrict write access to the connected git repository to trusted users
  • Disable the Source Control feature on vulnerable instances until the patch is applied

Generated by OpenCVE AI on June 24, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mhrx-qhrj-673w n8n Has a Source Control Pull SQL Injection
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection on the internal PostgreSQL instance. Exploitation requires the n8n instance uses PostgreSQL as its database backend, the Source Control feature is enabled and connected to a repository the attacker can write to, and an administrator triggers a Source Control Pull. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Title n8n: Source Control Pull SQL Injection
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:44:07.800Z

Reserved: 2026-05-07T19:20:44.692Z

Link: CVE-2026-44792

cve-icon Vulnrichment

Updated: 2026-06-23T17:44:03.673Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')