CVE-2026-27497 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) and CWE-89 (SQL Injection) affecting the open-source workflow automation platform n8n. The flaw exists in the Merge node's SQL query mode, which improperly handles user input, allowing an authenticated user with permissions to create or modify workflows to inject and execute arbitrary code on the n8n server. This capability extends to writing arbitrary files, enabling attackers to potentially deploy backdoors, manipulate workflows, or disrupt operations. Exploitation requires authentication but no additional user interaction, making it highly accessible to insiders or compromised accounts. The vulnerability affects multiple version ranges: all versions prior to 1.123.22, versions from 2.0.0 up to but not including 2.9.3, and versions 2.10.0 up to but not including 2.10.1. The vendor has addressed the issue in versions 2.10.1, 2.9.3, and 1.123.22. The CVSS 4.0 base score of 9.4 indicates a critical severity with network attack vector, low attack complexity, no privileges required beyond workflow modification rights, and no user interaction needed. The vulnerability's scope is high as it impacts confidentiality, integrity, and availability of the affected systems. Temporary mitigations include restricting workflow creation and editing permissions to fully trusted users and disabling the Merge node by excluding it via the NODES_EXCLUDE environment variable, though these are not complete fixes. No known exploits in the wild have been reported yet, but the severity and ease of exploitation make timely patching imperative.

The impact of CVE-2026-27497 is severe for organizations using n8n for workflow automation. Successful exploitation allows attackers to execute arbitrary code and write files on the server, potentially leading to full system compromise. This can result in unauthorized data access, data manipulation, disruption of automated processes, deployment of persistent malware, and lateral movement within the network. Since n8n often integrates with various enterprise systems and services, the compromise can cascade, affecting broader IT infrastructure and business operations. The vulnerability undermines confidentiality, integrity, and availability, posing risks to sensitive data and critical automation workflows. Organizations relying on n8n for business-critical automation, especially in regulated industries or those with sensitive data, face heightened risks of operational disruption and data breaches. The ease of exploitation by any authenticated user with workflow modification rights increases insider threat risks and the impact of compromised credentials.

To mitigate CVE-2026-27497, organizations should immediately upgrade n8n to versions 2.10.1, 2.9.3, or 1.123.22 or later, where the vulnerability is fully patched. Until upgrades can be applied, restrict workflow creation and editing permissions strictly to fully trusted and vetted users to reduce the attack surface. Additionally, disable the Merge node by adding 'n8n-nodes-base.merge' to the NODES_EXCLUDE environment variable to prevent exploitation via the vulnerable node, understanding this is a temporary measure and does not fully eliminate risk. Implement strong authentication and monitoring for accounts with workflow modification privileges to detect suspicious activity. Employ network segmentation to isolate n8n servers from critical infrastructure and sensitive data stores. Regularly audit workflows for unauthorized changes and review logs for anomalous behavior. Finally, maintain an incident response plan tailored to automation platform compromises to quickly contain and remediate potential breaches.