CVE-2026-27497 Overview
CVE-2026-27497 is a critical SQL Injection vulnerability in n8n, an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. This vulnerability combines SQL Injection (CWE-89) with code execution capabilities, significantly amplifying the potential impact.
Critical Impact
Authenticated attackers can achieve remote code execution and arbitrary file write on n8n servers by exploiting the Merge node's SQL query mode, potentially leading to complete system compromise.
Affected Products
- n8n versions prior to 2.10.1
- n8n versions prior to 2.9.3
- n8n versions prior to 1.123.22
Discovery Timeline
- February 25, 2026 - CVE-2026-27497 published to NVD
- February 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27497
Vulnerability Analysis
This vulnerability exists within the Merge node component of n8n's workflow automation engine. The Merge node provides a SQL query mode that allows users to combine and manipulate data from multiple input sources using SQL-like syntax. However, the implementation fails to properly sanitize user-supplied SQL queries before processing, creating an injection vector that can be exploited by authenticated users with workflow creation or modification privileges.
The flaw is particularly dangerous because it allows attackers to escape the SQL query context and execute arbitrary code on the underlying n8n server. Additionally, the vulnerability enables arbitrary file write operations, which could be leveraged for persistence mechanisms, credential theft, or further lateral movement within the network.
The network-based attack vector with low complexity makes this vulnerability accessible to any authenticated user who can access the workflow editor, significantly expanding the potential attack surface in multi-user n8n deployments.
Root Cause
The root cause of CVE-2026-27497 is improper input validation (CWE-89) within the Merge node's SQL query processing functionality. The application fails to adequately sanitize, escape, or parameterize user-supplied input before incorporating it into SQL query execution, allowing malicious actors to inject commands that extend beyond the intended SQL operations into code execution and file system manipulation.
Attack Vector
An attacker must first authenticate to the n8n platform and possess permissions to create or modify workflows. Once these prerequisites are met, the attacker can craft a malicious workflow containing a Merge node configured in SQL query mode. By injecting specially crafted SQL statements, the attacker can break out of the SQL execution context to execute arbitrary commands on the server and write files to arbitrary locations.
The exploitation mechanism relies on the Merge node's integration with underlying server-side processing, where injected payloads can leverage native functions or escape sequences to achieve code execution beyond the SQL layer.
Detection Methods for CVE-2026-27497
Indicators of Compromise
- Unusual workflow creation or modification activity by users, especially involving Merge nodes with SQL query mode
- Unexpected file write operations on the n8n server, particularly to sensitive directories
- Anomalous process spawning from the n8n application
- Suspicious outbound network connections originating from the n8n server process
- Modified or newly created files in system directories not associated with normal n8n operations
Detection Strategies
- Monitor n8n application logs for workflow modifications involving the Merge node with SQL query mode enabled
- Implement file integrity monitoring (FIM) on the n8n server to detect unauthorized file writes
- Deploy endpoint detection and response (EDR) solutions to identify suspicious command execution patterns from the n8n process
- Audit user permissions regularly to ensure only trusted users have workflow creation and editing capabilities
Monitoring Recommendations
- Enable verbose logging for workflow execution and user activity within n8n
- Configure alerts for privilege escalation attempts or unauthorized access to sensitive workflows
- Monitor for unusual SQL query patterns within Merge node configurations
- Implement network traffic analysis to detect potential data exfiltration following exploitation
How to Mitigate CVE-2026-27497
Immediate Actions Required
- Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 or later immediately
- Review and audit all existing workflows for suspicious Merge node configurations
- Restrict workflow creation and editing permissions to fully trusted users only
- If immediate patching is not possible, disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable
Patch Information
The n8n development team has released security patches addressing this vulnerability. Organizations should upgrade to one of the following fixed versions:
For complete technical details, refer to the GitHub Security Advisory GHSA-wxx7-mcgf-j869.
Workarounds
- Limit workflow creation and editing permissions to fully trusted users only as an interim measure
- Disable the Merge node entirely by configuring the NODES_EXCLUDE environment variable
- Implement network segmentation to limit the blast radius if the n8n server is compromised
- Deploy web application firewall (WAF) rules to detect and block SQL injection attempts targeting the n8n interface
# Disable the vulnerable Merge node temporarily
export NODES_EXCLUDE="n8n-nodes-base.merge"
# Restart n8n service to apply changes
systemctl restart n8n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
