CVE-2026-33713

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.26 n8n versions prior to 2.13.3 n8n versions prior to 2.14.1

Description n8n is a workflow automation platform susceptible to a SQL injection issue in the Data Table Get node. An authenticated user with appropriate permissions can manipulate SQL statements, potentially leading to data modification or deletion, particularly on PostgreSQL deployments. The attack surface is limited on default SQLite databases. The issue stems from the orderByColumn parameter within the Data Table Get node, which can be exploited when set to an expression incorporating external or user-supplied input.

Recommendations Upgrade to n8n version 1.123.26 or later. Upgrade to n8n version 2.13.3 or later. Upgrade to n8n version 2.14.1 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to trusted users only. If upgrading is not immediately possible, disable the Data Table node by adding n8n-nodes-base.dataTable to the NODES EXCLUDE environment variable. If upgrading is not immediately possible, review existing workflows for Data Table Get nodes where orderByColumn is set to an expression that incorporates external or user-supplied input.