{"data":{"id":"c57ed4b7-6391-4298-bf37-5b6ebe31b061","title":"GHSA-f3f2-mcxc-pwjx: n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes","summary":"n8n (a workflow automation tool) had a SQL injection vulnerability (a type of attack where specially crafted input tricks a database into running unintended commands) in its MySQL, PostgreSQL, and Microsoft SQL nodes. Attackers who could create or edit workflows could inject malicious SQL code through table or column names because these nodes didn't properly escape identifier values when building database queries.","solution":"The issue has been fixed in n8n version 2.4.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should: (1) Limit workflow creation and editing permissions to fully trusted users only, or (2) Disable the MySQL, PostgreSQL, and Microsoft SQL nodes by adding `n8n-nodes-base.mySql`, `n8n-nodes-base.postgres`, and `n8n-nodes-base.microsoftSql` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-f3f2-mcxc-pwjx","publishedAt":"2026-02-26T15:56:31.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":["n8n@< 2.4.0 (fixed: 2.4.0)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}