Platform
nodejs
Component
n8n
Fixed in
1.123.27
2.0.1
2.14.1
1.123.26
CVE-2026-33713 describes a SQL Injection vulnerability discovered in n8n, a workflow automation platform. This vulnerability allows an authenticated user with workflow creation/modification permissions to inject malicious SQL code. The impact is significant, particularly in PostgreSQL deployments where multi-statement execution is possible, potentially enabling data modification and deletion. Affected versions include those prior to n8n 1.123.26, 2.13.3, and 2.14.1; a patch is available.
The SQL Injection vulnerability in n8n's Data Table Get node allows an attacker to inject arbitrary SQL queries. On SQLite databases, the impact is limited to single-statement manipulation. However, on PostgreSQL deployments, the attacker can execute multiple SQL statements, granting them the ability to read, modify, and delete data within the database. This could lead to complete data compromise, including sensitive user information, workflow configurations, and potentially even system credentials if stored in the database. The ability to modify workflows could also allow an attacker to inject malicious code into automated processes, leading to further system compromise and data exfiltration. A successful exploit could effectively grant an attacker full control over the n8n instance and its associated data.
CVE-2026-33713 was publicly disclosed on 2026-03-26. The vulnerability is considered critical due to the potential for data modification and deletion. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation in PostgreSQL deployments suggests a potential for rapid exploitation if a PoC is developed. It is not currently listed on CISA KEV, but its severity warrants monitoring.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33713 is to upgrade n8n to version 1.123.26 or later, or to version 2.13.3 or 2.14.1. If immediate upgrade is not feasible, consider restricting user permissions to limit the ability to create or modify workflows. While not a complete fix, implementing a Web Application Firewall (WAF) with SQL Injection protection rules can provide an additional layer of defense. Carefully review and validate all user inputs within workflows to prevent malicious code from being injected. Monitor database logs for suspicious SQL queries, particularly those originating from workflow executions.
Update n8n to version 1.123.26, 2.13.3, 2.14.1 or later. If updating is not immediately possible, limit workflow creation and editing permissions to trusted users, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is configured with an expression that incorporates external or user-supplied input.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33713 is a critical SQL Injection vulnerability affecting n8n versions before 1.123.26, 2.13.3, and 2.14.1. It allows authenticated users to inject malicious SQL code, potentially leading to data compromise.
If you are running n8n versions prior to 1.123.26, 2.13.3, or 2.14.1, you are vulnerable. PostgreSQL deployments are at higher risk.
Upgrade n8n to version 1.123.26 or later, or to version 2.13.3 or 2.14.1. Restrict user permissions as a temporary workaround.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the n8n security advisories page for the latest information: [https://n8n.io/security](https://n8n.io/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.