CVE

CVE-2026-54310

n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes

CVE

CVE-2026-54310

n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes

Impact

An authenticated user with permission to create or modify workflows could supply a crafted parameters to the TimescaleDB and/or legacy Postgres v1 node's allowing arbitrary SQL to be injected and executed against the connected database within the privileges of the configured database account.

Patches

The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

Limit workflow creation and editing permissions to fully trusted users only.
Disable the Postgres and TimescaleDB node by adding n8n-nodes-base.postgres, n8n-nodes-base.timescaleDb to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-c37g-w77q-m4vp, https://github.com/n8n-io/n8n

Severity

9.9

CVSS Score

Basic Information

Base CVSS

9.9

EPSS Probability

EPSS Percentile

Introduced Version

2.26.0,0

Fix Available

2.26.2,2.25.7

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-54310

CVE-2026-54310

Impact

Patches

Workarounds

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.9

Basic Information

Fix Critical Vulnerabilities Instantly