n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes

Vulnerability

A SQL injection vulnerability exists in the Postgres v1 (n8n-nodes-base.postgres) and TimescaleDB (n8n-nodes-base.timescaleDb) nodes of n8n. An authenticated user with permission to create or modify workflows can supply crafted parameters to these nodes, allowing arbitrary SQL statements to be injected and executed against the connected database. The injected SQL runs with the privileges of the configured database account. Affected versions include all prior to 2.25.7 and 2.26.2 [1][2].

Exploitation

An attacker must have an authenticated n8n account with the ability to create or edit workflows. No special network position is required beyond access to the n8n web interface. The attacker crafts workflow parameters for the Postgres v1 or TimescaleDB node such that malicious SQL is injected into the database query. The injection occurs during workflow execution when the node processes the attacker-supplied parameters [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the connected database within the bounds of the configured database account's privileges. This can lead to full compromise of the database's confidentiality, integrity, and availability, including data exfiltration, modification, or deletion. The impact is rated Critical with a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) [1][2].

Mitigation

The vulnerability is fixed in n8n versions 2.25.7 and 2.26.2. All users should upgrade to one of these versions or later. If immediate upgrade is not possible, administrators should temporarily limit workflow creation and editing permissions to fully trusted users only, and disable the vulnerable nodes by adding n8n-nodes-base.postgres and n8n-nodes-base.timescaleDb to the NODES_EXCLUDE environment variable. These workarounds are partial and should only be used as short-term measures [1][2].