CVE-2026-33713 Overview
CVE-2026-33713 is a SQL Injection vulnerability affecting n8n, an open source workflow automation platform. An authenticated user with permission to create or modify workflows can exploit this vulnerability through the Data Table Get node. The impact varies based on the database backend: SQLite deployments have limited single-statement manipulation, while PostgreSQL deployments are susceptible to multi-statement execution enabling data modification and deletion.
Critical Impact
Authenticated attackers can execute arbitrary SQL statements, potentially leading to unauthorized data access, modification, and deletion on affected n8n deployments.
Affected Products
- n8n versions prior to 1.123.26
- n8n versions prior to 2.13.3
- n8n versions prior to 2.14.1
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-33713 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33713
Vulnerability Analysis
This vulnerability stems from improper input validation in the Data Table Get node component of n8n. The orderByColumn parameter accepts user-controlled input that is not properly sanitized before being incorporated into SQL queries. This allows authenticated users to inject malicious SQL statements into the database operations performed by n8n workflows.
The attack surface varies significantly depending on the database backend in use. When n8n is configured with the default SQLite database, exploitation is limited to single statement manipulation due to SQLite's query execution model. However, PostgreSQL deployments present a more severe risk as multi-statement execution is supported, enabling attackers to chain multiple SQL commands for comprehensive data manipulation operations including insertions, updates, and deletions.
Root Cause
The root cause is improper input sanitization in the Data Table Get node's handling of the orderByColumn parameter. When this parameter is set to an expression that incorporates external or user-supplied input, the unsanitized data flows directly into SQL query construction, creating a classic SQL Injection vulnerability (CWE-89). The application fails to properly parameterize or escape user input before including it in dynamically constructed SQL statements.
Attack Vector
The vulnerability is exploitable over the network by authenticated users with workflow creation or modification permissions. An attacker must craft a malicious workflow containing a Data Table Get node where the orderByColumn parameter includes SQL injection payloads. When the workflow executes, the injected SQL commands are processed by the database, allowing the attacker to read sensitive data, modify records, or delete information depending on the database type and configuration.
On PostgreSQL deployments, attackers can leverage multi-statement execution to perform operations beyond the intended query scope, such as:
- Extracting sensitive data from other tables
- Modifying or corrupting workflow data
- Deleting records across the database
- Potentially escalating access through database-specific features
Detection Methods for CVE-2026-33713
Indicators of Compromise
- Unusual SQL syntax or keywords appearing in workflow configurations, particularly in orderByColumn expressions
- Unexpected database queries containing UNION, SELECT, INSERT, UPDATE, DELETE, or DROP statements originating from n8n processes
- Anomalous database access patterns or query execution times associated with n8n workflows
Detection Strategies
- Review workflow audit logs for Data Table Get nodes with dynamic or expression-based orderByColumn parameters
- Monitor database query logs for SQL injection patterns such as single quotes, comment sequences (--), or stacked queries from n8n connections
- Implement database activity monitoring to detect unauthorized SELECT, UPDATE, or DELETE operations
Monitoring Recommendations
- Enable detailed logging for all workflow executions and database queries
- Configure alerts for workflows that reference the Data Table Get node with expression-based parameters
- Monitor for new or modified workflows created by users outside the trusted administrator group
How to Mitigate CVE-2026-33713
Immediate Actions Required
- Upgrade n8n to version 1.123.26, 2.13.3, or 2.14.1 or later immediately
- Limit workflow creation and editing permissions to fully trusted users only
- Review existing workflows for Data Table Get nodes where orderByColumn is set to expressions incorporating external or user-supplied input
Patch Information
The vulnerability has been remediated in n8n versions 1.123.26, 2.13.3, and 2.14.1. Organizations should upgrade to one of these versions or later. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Restrict workflow creation and modification permissions to only fully trusted administrators
- Disable the Data Table node entirely by adding n8n-nodes-base.dataTable to the NODES_EXCLUDE environment variable
- Audit all existing workflows for potentially vulnerable Data Table Get node configurations
# Disable the Data Table node as a temporary mitigation
export NODES_EXCLUDE="n8n-nodes-base.dataTable"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
