CVE-2026-27497
Published: 25 February 2026
Summary
CVE-2026-27497 is a high-severity SQL Injection (CWE-89) vulnerability in N8N N8N. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely installation of patches to versions 2.10.1, 2.9.3, or 1.123.22 that fully remediate the SQL injection vulnerability in the Merge node.
Mandates validation and sanitization of SQL query inputs in the Merge node to neutralize special elements and block arbitrary code execution and file writes.
Enforces least privilege by limiting workflow creation and editing permissions to fully trusted users, blocking low-privilege authenticated attackers from exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via authenticated remote code/SQL injection in exposed n8n server app directly enables T1190 (exploit public-facing application) and T1059 (arbitrary command/script execution); file write capability is a direct side effect of the same injection.
NVD Description
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary…
more
files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Deeper analysisAI
CVE-2026-27497 is a high-severity vulnerability in n8n, an open-source workflow automation platform, affecting versions prior to 2.10.1, 2.9.3, and 1.123.22. It stems from improper handling in the Merge node's SQL query mode, enabling an authenticated user with permissions to create or modify workflows to execute arbitrary code and write arbitrary files on the n8n server. The issue maps to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-94 (Improper Control of Generation of Code), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an authenticated attacker with low privileges, specifically the ability to create or edit workflows, and can be performed remotely over the network with low complexity and no user interaction. Successful attacks allow arbitrary code execution and file writes on the server, potentially resulting in complete server compromise, data exfiltration, persistence, or lateral movement.
n8n has addressed the vulnerability in releases 2.10.1, 2.9.3, and 1.123.22, with security advisories and release notes recommending immediate upgrades to these or later versions for full remediation. Temporary mitigations include restricting workflow creation and editing permissions to fully trusted users only and disabling the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable; however, these are partial measures and not substitutes for patching.
Details
- CWE(s)