CVE-2026-33713

High

Published: 25 March 2026

Published

25 March 2026

Modified

27 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33713 is a high-severity SQL Injection (CWE-89) vulnerability in N8N N8N. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs like the orderByColumn parameter to prevent SQL injection exploitation in the Data Table Get node.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation through patching to fixed n8n versions, directly addressing the SQL injection vulnerability.

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege to restrict workflow creation and modification permissions to trusted users only, limiting the attack surface as recommended in the advisory.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing n8n web app directly enables T1190 exploitation for initial or expanded access; multi-statement Postgres support facilitates T1485 data deletion and T1565.001 stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite…

DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Deeper analysisAI

CVE-2026-33713 is a SQL injection vulnerability (CWE-89) affecting n8n, an open-source workflow automation platform, in versions prior to 1.123.26, 2.13.3, and 2.14.1. The flaw resides in the Data Table Get node, where an authenticated user with permissions to create or modify workflows can inject malicious SQL via the orderByColumn parameter when set to an expression incorporating external or user-supplied input. The vulnerability was published on 2026-03-25 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An attacker requires low-privilege authenticated access to exploit this issue by crafting a malicious workflow. On the default SQLite database, exploitation is limited to single-statement manipulation with a practically constrained attack surface. However, in PostgreSQL deployments, multi-statement execution becomes feasible, allowing arbitrary data modification and deletion within the database.

The n8n security advisory recommends upgrading to versions 1.123.26, 2.13.3, 2.14.1, or later to fully remediate the vulnerability. As temporary measures until patching, administrators should restrict workflow creation and editing to fully trusted users, disable the Data Table node by setting the NODES_EXCLUDE environment variable to include n8n-nodes-base.dataTable, and audit existing workflows for Data Table Get nodes using risky orderByColumn expressions. These workarounds provide only partial protection. Additional details are available in the advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3.

Details

CWE(s): CWE-89

Affected Products

n8n

2.14.0 · ≤ 1.123.26 · 2.0.0 — 2.13.3

CVEs Like This One

CVE-2026-27497Same product: N8N N8N

CVE-2026-33660Same product: N8N N8N

CVE-2025-62726Same product: N8N N8N

CVE-2026-21877Same product: N8N N8N

CVE-2025-68613Same product: N8N N8N

CVE-2026-1470Same product: N8N N8N

CVE-2026-25055Same product: N8N N8N

CVE-2026-27493Same product: N8N N8N

CVE-2026-27498Same product: N8N N8N

CVE-2026-21893Same product: N8N N8N

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3
Vendor Advisory, Mitigation · security-advisories@github.com