CVE-2026-59257

Summary

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ … }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.

Affected Software

VendorProductVersion RangeStatus
n8nn8n0 < 1.123.61affected
n8nn8n1.123.61unaffected
n8nn8n0 < 2.28.1affected
n8nn8n2.28.1unaffected
n8nn8n0 < 2.27.4affected
n8nn8n2.27.4unaffected

Weaknesses

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References