Back to overview

CVE-2026-59257

MEDIUM
5.3
CVSS 4.0
Description
n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.

Metadata

CVE ID
CVE-2026-59257
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-04 12:17 UTC
Published
2026-07-08 13:49 UTC
Last updated
2026-07-08 13:49 UTC
Primary CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL C…
Vendor / Product
n8n / n8n
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Affected products (3)
VendorProductPlatformVersions
n8n n8n 0 < 1.123.61, 1.123.61
n8n n8n 0 < 2.28.1, 2.28.1
n8n n8n 0 < 2.27.4, 2.27.4
Weakness (CWE)
CWESourceDescription
CWE-89 cna Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
References (2)
Back to overview