CVE-2026-59257 in n8n
Summary
by MITRE • 07/08/2026
n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
This vulnerability exists within n8n's legacy MySQL v1 node implementation where the executeQuery operation fails to properly sanitize user-supplied input values before incorporating them into raw SQL statements. The flaw occurs when expression-based values are evaluated and directly substituted into SQL strings without proper parameterization or input validation mechanisms. This design oversight creates a critical security weakness that can be exploited through carefully crafted malicious inputs. The vulnerability specifically affects versions prior to 1.123.61, 2.x prior to 2.27.4, and 2.28.x prior to 2.28.1, indicating this was a known issue that required patching across multiple release branches.
The technical exploitation of this vulnerability relies on the fact that when workflows utilize externally-reachable triggers such as Webhook nodes, attacker-controlled data can flow directly into the expression evaluation context. When these expressions contain user-provided values that are then injected into SQL queries without proper sanitization, attackers can manipulate the database operations to execute arbitrary SQL commands. The privilege level of these operations corresponds exactly to the MySQL credentials configured within the n8n environment, meaning successful exploitation could grant attackers full access to the underlying database with the permissions of the connected account. This represents a classic sql injection vulnerability that falls under CWE-89, which specifically addresses improper neutralization of special elements used in SQL commands.
The operational impact of this vulnerability extends beyond simple data theft or modification, as it can enable complete database compromise when combined with appropriate attack vectors. Attackers could potentially escalate privileges through database-specific techniques, extract sensitive information from all tables accessible to the connected MySQL user, modify or delete critical data, and even establish persistence mechanisms within the database environment. The presence of externally-reachable triggers like Webhook nodes makes this vulnerability particularly dangerous in production environments where such connectivity is common. Organizations using n8n with exposed workflows face significant risk if they have not updated to patched versions, as the attack surface remains open for exploitation.
The remediation approach requires immediate upgrading to patched versions of n8n where the MySQL v2 node implementation properly employs parameterized queries and input sanitization. Security teams should conduct comprehensive audits of all n8n deployments to identify workflows utilizing the legacy MySQL v1 node and migrate them to the secure v2 implementation. Additionally, organizations should implement network segmentation to limit external exposure of n8n instances and establish monitoring for suspicious database activity patterns that might indicate exploitation attempts. The vulnerability also aligns with ATT&CK technique T1071.005 for application layer protocol usage and T1566 for credential access through web application attacks, indicating this issue should be monitored as part of broader cybersecurity defensive strategies. Organizations should also consider implementing database activity monitoring solutions to detect anomalous SQL execution patterns that could indicate exploitation attempts.