AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-98c2-4cr3-4jc3: n8n has SQL Injection in Data Table Node via orderByColumn Expression

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 26, 2026CVE-2026-33713

Summary

n8n, a workflow automation tool, has a SQL injection vulnerability (a security flaw where attackers can insert malicious database commands) in its Data Table Get node that allows authenticated users to manipulate database queries. On PostgreSQL databases, attackers could modify or delete data, though the risk is more limited on the default SQLite database.

Solution / Mitigation

The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later. As temporary workarounds if upgrading is not immediately possible: limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 26, 2026

Classification

Attack SophisticationModerate

Affected Vendors

Affected Packages

n8n@>= 2.0.0-rc.0, < 2.13.3 (fixed: 2.13.3)n8n@= 2.14.0 (fixed: 2.14.1)n8n@< 1.123.26 (fixed: 1.123.26)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-98c2-4cr3-4jc3

First tracked: March 26, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 85%