CVE-2026-44792

UNKNOWN 0.0

n8n: Source Control Pull SQL Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection on the internal PostgreSQL instance. Exploitation requires the n8n instance uses PostgreSQL as its database backend, the Source Control feature is enabled and connected to a repository the attacker can write to, and an administrator triggers a Source Control Pull. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

CWE	CWE-89
Vendor	n8n-io
Product	n8n
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for n8n-io n8n

Be the first to know when new unknown vulnerabilities affecting n8n-io n8n are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

n8n-io / n8n

< 1.123.43 >= 2.0.0-rc.0, < 2.20.7 >= 2.21.0, < 2.21.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w