CVE-2026-27497: n8n: SQL Injection exposes database

HIGH

Published February 25, 2026

CISO Take

CVE-2026-27497 is a high-severity RCE in n8n, one of the most widely used AI workflow orchestration platforms. Any authenticated user with workflow editing rights can execute arbitrary code on the n8n server, gaining full control of your AI automation infrastructure and all stored credentials. Patch to 2.10.1/2.9.3/1.123.22 immediately — and treat every n8n instance as potentially compromised until you do.

What is the risk?

HIGH. CVSS 8.8 with network-accessible vector, low complexity, low privileges required, no user interaction. n8n deployments are typically wired to LLM APIs, vector databases, SaaS platforms, and internal systems — making the blast radius exceptionally wide. The dual CWE-89 (SQLi) and CWE-94 (code injection) create multiple exploitation paths within the same node. Insider threat surface is material: any developer or analyst with workflow access is a potential adversary, and the attack blends into legitimate workflow execution logs.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH IMMEDIATELY

Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22.
TEMPORARY WORKAROUND (if patching is delayed): Add 'n8n-nodes-base.merge' to the NODES_EXCLUDE environment variable to disable the vulnerable node.
RESTRICT PERMISSIONS

Treat workflow creation/editing as an administrative privilege — lock it down to fully trusted users only.
AUDIT EXISTING WORKFLOWS

Review all workflows for Merge nodes with suspicious SQL payloads before and after patching.
ROTATE CREDENTIALS

After patching, rotate all API keys and service credentials stored in n8n — LLM provider keys, database credentials, cloud tokens.
DETECTION

Monitor for unexpected process spawns, file writes outside the n8n data directory, and anomalous outbound connections from the n8n process. Alert on Merge node executions containing SQL-like payloads.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Model Poisoning Code Execution Agent RAG API AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0099 - AI Agent Tool Data Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system security and safety risks A.8.4 - AI system security A.9.3 - Control of AI system inputs A.9.4 - Access control for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability for AI risk management GOVERN-1.4 - Organizational policies for AI risk MANAGE 2.2 - Mechanisms to respond to identified risks MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design LLM07:2025 - System Prompt Leakage LLM08:2023 - Excessive Agency LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27497?

Is CVE-2026-27497 actively exploited?

No confirmed active exploitation of CVE-2026-27497 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27497?

1. PATCH IMMEDIATELY: Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22. 2. TEMPORARY WORKAROUND (if patching is delayed): Add 'n8n-nodes-base.merge' to the NODES_EXCLUDE environment variable to disable the vulnerable node. 3. RESTRICT PERMISSIONS: Treat workflow creation/editing as an administrative privilege — lock it down to fully trusted users only. 4. AUDIT EXISTING WORKFLOWS: Review all workflows for Merge nodes with suspicious SQL payloads before and after patching. 5. ROTATE CREDENTIALS: After patching, rotate all API keys and service credentials stored in n8n — LLM provider keys, database credentials, cloud tokens. 6. DETECTION: Monitor for unexpected process spawns, file writes outside the n8n data directory, and anomalous outbound connections from the n8n process. Alert on Merge node executions containing SQL-like payloads.

What systems are affected by CVE-2026-27497?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration platforms, RAG pipelines, LLM integration layers, multi-agent systems, AI automation pipelines.

What is the CVSS score for CVE-2026-27497?

CVE-2026-27497 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.77%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow orchestration platformsRAG pipelinesLLM integration layersmulti-agent systemsAI automation pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0099 AI Agent Tool Data Poisoning

Compliance Controls Affected

EU AI Act: Art.15, Article 15, Article 9

ISO 42001: A.6.2.5, A.8.4, A.9.3, A.9.4

NIST AI RMF: GOVERN 1.2, GOVERN-1.4, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM07:2023, LLM07:2025, LLM08:2023, LLM08:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An insider or compromised developer account with workflow editing rights in n8n creates a new workflow containing a Merge node in SQL query mode. The attacker crafts a payload exploiting CWE-89/CWE-94 to achieve server-side code execution — writing a web shell or spawning a reverse shell. Once on the server, they harvest all n8n-stored credentials: LLM API keys (OpenAI, Anthropic), vector database connections, cloud provider tokens, internal database credentials. These are used to pivot: querying LLMs with exfiltrated proprietary data, poisoning RAG databases, or deploying rogue AI agent workflows that persist under legitimate service accounts. The attack is inherently stealthy because workflow execution logs it as normal n8n activity.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.