CVE-2026-27497 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) and CWE-89 (SQL Injection) affecting the open-source workflow automation platform n8n. The flaw exists in the Merge node's SQL query mode, which improperly handles user-supplied input, allowing an authenticated user with workflow creation or modification permissions to inject and execute arbitrary code on the n8n server. This code injection can also be leveraged to write arbitrary files, potentially leading to full system compromise. The vulnerability requires authentication but no additional user interaction, making it highly exploitable in environments where users have workflow editing rights. The affected versions include all releases prior to 1.123.22, versions from 2.0.0 up to but not including 2.9.3, and versions 2.10.0 up to but not including 2.10.1. The vulnerability was publicly disclosed on February 25, 2026, with a CVSS 4.0 base score of 9.4, indicating critical severity. No known exploits are currently reported in the wild, but the potential impact is severe. The vendor has released fixed versions 2.10.1, 2.9.3, and 1.123.22 to remediate the issue. Until upgrading, administrators are advised to limit workflow creation and editing permissions to fully trusted users and disable the Merge node by excluding it via the NODES_EXCLUDE environment variable. These mitigations reduce risk but do not fully resolve the vulnerability. The flaw poses a significant threat to the confidentiality, integrity, and availability of n8n servers and any connected systems or data.

The impact of CVE-2026-27497 is severe and wide-ranging. Successful exploitation allows an authenticated user to execute arbitrary code and write files on the n8n server, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, disruption or manipulation of automated workflows, and pivoting to other internal systems. Organizations relying on n8n for critical business process automation, data integration, or orchestration may experience operational downtime, data breaches, or loss of trust. Because the vulnerability requires only authenticated access with workflow editing permissions, insider threats or compromised user accounts pose significant risks. The ability to write arbitrary files also raises the possibility of persistent backdoors or malware installation. Given n8n’s growing adoption in enterprises and cloud environments, the vulnerability could be leveraged in targeted attacks against organizations in sectors such as finance, healthcare, manufacturing, and technology. The lack of known exploits in the wild currently provides a window for proactive remediation, but the critical CVSS score underscores the urgency of patching.

1. Immediate upgrade to n8n versions 2.10.1, 2.9.3, or 1.123.22 or later is the most effective mitigation to fully remediate the vulnerability. 2. Restrict workflow creation and editing permissions strictly to fully trusted and verified users to reduce the attack surface. 3. Temporarily disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable to prevent exploitation via the vulnerable node. 4. Implement strong authentication and access controls, including multi-factor authentication, to protect accounts with workflow modification rights. 5. Monitor logs and workflow changes for suspicious activity indicative of exploitation attempts. 6. Conduct regular audits of user permissions and workflows to detect unauthorized modifications. 7. Isolate n8n servers within segmented network zones to limit lateral movement if compromised. 8. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious SQL query patterns in the Merge node. 9. Educate administrators and users about the risks of granting workflow editing permissions broadly. 10. Prepare incident response plans specific to n8n compromise scenarios.