CVE-2026-33713 is an SQL injection vulnerability classified under CWE-89 affecting the open-source workflow automation platform n8n. The flaw exists in the Data Table Get node, which improperly neutralizes special elements in SQL commands constructed from user-controlled input. Authenticated users with permissions to create or modify workflows can inject malicious SQL code. On default SQLite databases, the injection is limited to single SQL statements, restricting the attack surface primarily to data retrieval manipulation. However, on PostgreSQL deployments, the vulnerability is more severe because multi-statement execution is possible, enabling attackers to perform unauthorized data modifications and deletions. The vulnerability requires no user interaction beyond authentication and workflow editing privileges, making it relatively easy to exploit in environments where such permissions are granted. The issue affects n8n versions prior to 1.123.26, versions from 2.0.0-rc.0 up to but not including 2.13.3, and version 2.14.0. The vendor has released patches in versions 1.123.26, 2.13.3, and 2.14.1 to remediate the vulnerability. Until upgrades can be applied, administrators are advised to limit workflow editing permissions to trusted users, disable the Data Table node via environment variable configuration, and audit existing workflows for unsafe use of the orderByColumn parameter that incorporates external input. These mitigations reduce but do not eliminate the risk. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting high severity due to network attack vector, low attack complexity, no required privileges beyond workflow editing, no user interaction, and high impact on confidentiality, integrity, and availability. There are no known exploits in the wild at this time.

This vulnerability can lead to unauthorized data access, modification, and deletion within n8n deployments, severely impacting the confidentiality, integrity, and availability of workflow data and potentially connected systems. On PostgreSQL-backed instances, attackers can execute multiple SQL statements, increasing the risk of destructive actions such as data corruption or deletion. Organizations relying on n8n for critical automation workflows may experience operational disruption, data loss, and potential compliance violations. Since exploitation requires only authenticated workflow editing permissions, insider threats or compromised user accounts pose a significant risk. The vulnerability could also be leveraged as a foothold for further lateral movement within an organization's infrastructure. The impact is especially critical for organizations using n8n in production environments with PostgreSQL databases, where the attack surface and damage potential are greater.

1. Upgrade n8n installations immediately to versions 1.123.26, 2.13.3, 2.14.1, or later to apply the official patch that fully remediates the vulnerability. 2. Restrict workflow creation and modification permissions strictly to fully trusted and vetted users to reduce the risk of exploitation by insiders or compromised accounts. 3. Temporarily disable the Data Table node by adding 'n8n-nodes-base.dataTable' to the NODES_EXCLUDE environment variable to prevent use of the vulnerable functionality. 4. Conduct a thorough audit of existing workflows, focusing on Data Table Get nodes where the 'orderByColumn' parameter uses expressions incorporating external or user-supplied input, and refactor or remove unsafe constructs. 5. Implement strong authentication and monitoring around user accounts with workflow editing privileges to detect and prevent unauthorized access. 6. Consider deploying database-level protections such as query parameterization and strict role-based access controls to limit the impact of potential injection attempts. 7. Monitor n8n logs and database activity for suspicious queries indicative of exploitation attempts. These measures, combined with patching, provide a layered defense against this vulnerability.