CVE-2026-33713 — HIGH (CVSS 8.8)

Q: Is CVE-2026-33713 actively exploited?

No confirmed active exploitation of CVE-2026-33713 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33713?

1. PATCH: Upgrade to n8n 1.123.26 (v1 branch), 2.13.3, or 2.14.1 immediately. 2. RESTRICT permissions: Limit workflow creation/editing to fully trusted users only via n8n's role system. 3. DISABLE the node if unused: Set NODES_EXCLUDE=n8n-nodes-base.dataTable in environment variables. 4. AUDIT: Search existing workflows for Data Table Get nodes where orderByColumn is set to an expression—flag any using $json, $input, or user-supplied variables. 5. DETECT: Monitor PostgreSQL query logs for unusual multi-statement patterns originating from n8n service account. 6. ISOLATE: Ensure n8n's DB service account follows least-privilege—no DROP, TRUNCATE, or cross-schema access.

Q: What systems are affected by CVE-2026-33713?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration pipelines, Workflow automation with database connectors, RAG data ingestion pipelines, ETL pipelines for model training data, LLM tool/plugin integrations.

Q: What is the CVSS score for CVE-2026-33713?

CVE-2026-33713 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.02%.

CISO Take

Any authenticated n8n user with workflow edit rights can exploit this SQL injection to exfiltrate, modify, or delete your entire database on PostgreSQL deployments. Patch to 1.123.26/2.13.3/2.14.1 immediately; if n8n is used as an AI automation backbone, assume blast radius extends to all downstream data connected via workflows. EPSS is still low but the attack requires only low privileges and no user interaction.

What is the risk?

High severity (CVSS 8.8) with meaningful caveats: exploitation requires an authenticated session with workflow creation/edit permissions, lowering exposure for tightly controlled deployments. However, n8n is frequently deployed with broad internal access in AI automation environments where 'trusted users' build workflows freely. PostgreSQL deployments face full multi-statement execution risk (data read/write/delete); SQLite is limited to single-statement manipulation. EPSS 0.00014 indicates no current mass exploitation, but the attack pattern is well-understood and low-sophistication once access is obtained.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.26	`1.123.26`
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 6% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade to n8n 1.123.26 (v1 branch), 2.13.3, or 2.14.1 immediately.
RESTRICT permissions: Limit workflow creation/editing to fully trusted users only via n8n's role system.
DISABLE the node if unused: Set NODES_EXCLUDE=n8n-nodes-base.dataTable in environment variables.
AUDIT

Search existing workflows for Data Table Get nodes where orderByColumn is set to an expression—flag any using $json, $input, or user-supplied variables.
DETECT

Monitor PostgreSQL query logs for unusual multi-statement patterns originating from n8n service account.
ISOLATE

Ensure n8n's DB service account follows least-privilege—no DROP, TRUNCATE, or cross-schema access.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Data Leakage Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI System Input Controls A.9.4 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain effectiveness of risk controls

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-33713?

Any authenticated n8n user with workflow edit rights can exploit this SQL injection to exfiltrate, modify, or delete your entire database on PostgreSQL deployments. Patch to 1.123.26/2.13.3/2.14.1 immediately; if n8n is used as an AI automation backbone, assume blast radius extends to all downstream data connected via workflows. EPSS is still low but the attack requires only low privileges and no user interaction.

Is CVE-2026-33713 actively exploited?

No confirmed active exploitation of CVE-2026-33713 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33713?

1. PATCH: Upgrade to n8n 1.123.26 (v1 branch), 2.13.3, or 2.14.1 immediately. 2. RESTRICT permissions: Limit workflow creation/editing to fully trusted users only via n8n's role system. 3. DISABLE the node if unused: Set NODES_EXCLUDE=n8n-nodes-base.dataTable in environment variables. 4. AUDIT: Search existing workflows for Data Table Get nodes where orderByColumn is set to an expression—flag any using $json, $input, or user-supplied variables. 5. DETECT: Monitor PostgreSQL query logs for unusual multi-statement patterns originating from n8n service account. 6. ISOLATE: Ensure n8n's DB service account follows least-privilege—no DROP, TRUNCATE, or cross-schema access.

What systems are affected by CVE-2026-33713?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration pipelines, Workflow automation with database connectors, RAG data ingestion pipelines, ETL pipelines for model training data, LLM tool/plugin integrations.

What is the CVSS score for CVE-2026-33713?

CVE-2026-33713 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a legitimate n8n account (e.g., a contractor, compromised internal credential, or over-privileged developer) creates or modifies a workflow containing a Data Table Get node. They set the orderByColumn parameter to an expression that injects SQL: e.g., id; DROP TABLE ai_training_data; -- or a UNION-based payload to extract API keys from n8n's own credentials table. On a PostgreSQL backend, the injected multi-statement payload executes directly, allowing the attacker to exfiltrate LLM API keys, Stripe webhooks, or database credentials stored in n8n's encrypted credential store—then pivot to connected AI infrastructure. The attack leaves minimal trace if audit logging is not enabled on the DB layer.