GHSA-f3f2-mcxc-pwjx: n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes

February 26, 2026

An authenticated user with permission to create or modify workflows and access to a database credential could unknowingly create a workflow that was vulnerable to SQL injection, even while expecting inputs to be handled safely through escaped parameters. By supplying specially crafted table or column names, an attacker could inject arbitrary SQL because the MySQL, PostgreSQL, and Microsoft SQL nodes did not escape identifier values when constructing queries, enabling injection through node configuration parameters.

References

github.com/advisories/GHSA-f3f2-mcxc-pwjx
github.com/n8n-io/n8n
github.com/n8n-io/n8n/commit/f73fae6fe7fc34907bba102648a9997186aa4385
github.com/n8n-io/n8n/releases/tag/n8n%402.4.0
github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx

Code Behaviors & Features

Detect and mitigate GHSA-f3f2-mcxc-pwjx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →