GHSA-mhrx-qhrj-673w: n8n Has a Source Control Pull SQL Injection
Summary
n8n (a workflow automation platform) has a SQL injection vulnerability (a type of attack where malicious code is inserted into database queries) in its Source Control Pull feature. An attacker with write access to a connected git repository could commit a malicious file that, when pulled by an administrator, executes harmful SQL commands on n8n's internal PostgreSQL database (the system that stores data).
Solution / Mitigation
The issue has been fixed in n8n version 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should: disable the Source Control feature if not actively required, restrict write access to the connected git repository to fully trusted users only, or avoid pulling from repositories that may have been modified by untrusted parties. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-mhrx-qhrj-673w
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%