CVE-2026-54310
n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes
In short
n8n workflow automation platform allows authenticated users to inject and execute arbitrary SQL commands through crafted parameters in TimescaleDB and Postgres v1 nodes, potentially compromising the connected database.
Technical detail
SQL injection vulnerability in n8n's TimescaleDB and legacy Postgres v1 nodes exploitable by authenticated workflow creators/modifiers through unsanitized parameter input; execution context limited to configured database account privileges; fixed in versions 2.25.7 and 2.26.2.
Summary generated and translated by AI from the official description.
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows could supply a crafted parameters to the TimescaleDB and/or legacy Postgres v1 node's allowing arbitrary SQL to be injected and executed against the connected database within the privileges of the configured database account. This vulnerability is fixed in 2.25.7 and 2.26.2.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Affected products
n8n-io · n8nWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →