CVE-2026-56351 | n8n before version 2.4.0 contains a sql injection vulnerabil… | CVSS 8.2 HIGH

Description

n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply specially crafted table or column names to execute unauthorized database commands and compromise data integrity.

Metadata

CVE ID: CVE-2026-56351
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 18:13 UTC
Published: 2026-06-24 11:53 UTC
Last updated: 2026-06-24 12:42 UTC
Primary CWE: CWE-89
Improper Neutralization of Special Elements used in an SQL C…
Vendor / Product: n8n / n8n
Sources: cve.org · NVD

Severity & Metrics

8.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
n8n	n8n	—	0 < 2.4.0, 2.4.0

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References (2)

GitHub Security Advisory (GHSA-f3f2-mcxc-pwjx) https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx
VulnCheck Advisory: n8n - SQL Injection in MySQL, PostgreSQL, and Microsoft SQL Nodes https://www.vulncheck.com/advisories/n8n-sql-injection-in-mysql-postgresql-and-microsoft-sql-nodes