๐Ÿ” CVE Alert

CVE-2026-59257

UNKNOWN 0.0

n8n - SQL Injection in MySQL v1 executeQuery Operation via Expression Interpolation

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
23th

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.

CWE CWE-89
Vendor n8n
Product n8n
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for n8n n8n

Be the first to know when new unknown vulnerabilities affecting n8n n8n are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

n8n / n8n
0 < 1.123.61
n8n / n8n
0 < 2.28.1
n8n / n8n
0 < 2.27.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/n8n-io/n8n/security/advisories/GHSA-hwmj-qg4v-cvg9 vulncheck.com: https://www.vulncheck.com/advisories/n8n-sql-injection-in-mysql-v1-executequery-operation-via-expression-interpolation