GHSA-c37g-w77q-m4vp: n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes
Summary
n8n, a workflow automation tool, has a SQL injection vulnerability (a flaw that lets attackers insert malicious database commands) in its Postgres v1 and TimescaleDB nodes. An authenticated user with permission to create or edit workflows could exploit this to run arbitrary SQL commands against connected databases with the privileges of the configured database account.
Solution / Mitigation
The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. As temporary workarounds, administrators can limit workflow creation and editing permissions to fully trusted users only, or disable the Postgres and TimescaleDB nodes by adding `n8n-nodes-base.postgres` and `n8n-nodes-base.timescaleDb` to the `NODES_EXCLUDE` environment variable. However, the source notes that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Vulnerability Details
EPSS: 0.0%
Yes
June 16, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-c37g-w77q-m4vp
First tracked: June 16, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%