CVE-2026-54310: n8n SQL injection

Q: Is CVE-2026-54310 actively exploited?

No confirmed active exploitation of CVE-2026-54310 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54310?

1. Upgrade n8n immediately to version 2.25.7 or 2.26.2. 2. If upgrade is not immediately possible, add 'n8n-nodes-base.postgres' and 'n8n-nodes-base.timescaleDb' to the NODES_EXCLUDE environment variable to disable the vulnerable nodes at the application layer. 3. Restrict workflow creation and editing permissions to fully trusted users only; audit existing role assignments and revoke unnecessary edit access. 4. Apply least privilege to the n8n database account—remove superuser, DDL, COPY FILE, and pg_execute_server_program privileges if present; use a dedicated read/write-only account scoped to n8n's required tables. 5. Audit existing workflow definitions for suspicious SQL parameter values (UNION SELECT, stacked queries, system function calls such as pg_read_file or pg_ls_dir). 6. Enable PostgreSQL query logging (log_min_duration_statement = 0 temporarily) and alert on anomalous SQL patterns originating from the n8n application user.

Q: What systems are affected by CVE-2026-54310?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, RAG pipelines, Data pipelines, Model serving backends.

Q: What is the CVSS score for CVE-2026-54310?

CVE-2026-54310 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.04%.

CISO Take

n8n's TimescaleDB and legacy Postgres v1 workflow nodes fail to sanitize crafted parameters, allowing any authenticated user with workflow-edit rights to inject and execute arbitrary SQL against the connected database. With a CVSS of 9.9 and Changed Scope, a single compromised n8n account can fully compromise the underlying database—exfiltrating all records, corrupting data, and potentially escalating to host-level code execution via database extensions such as pg_execute_server_program or COPY TO PROGRAM. Although the absolute EPSS score is low at 0.00038, this sits in the top 88th percentile for exploitation likelihood, SQL injection techniques are trivially accessible, and n8n's widespread adoption as an AI agent orchestration layer means databases storing LLM outputs, RAG document chunks, user PII, and cached API keys are all in scope. Patch immediately to n8n 2.25.7 or 2.26.2; if downtime prevents immediate upgrade, disable the vulnerable nodes by adding n8n-nodes-base.postgres and n8n-nodes-base.timescaleDb to NODES_EXCLUDE and restrict workflow editing to fully trusted users only.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

Critical. The combination of low privilege requirement (any authenticated user), network-accessible attack vector, no user interaction needed, and Changed Scope with full Confidentiality/Integrity/Availability impact produces a near-maximum severity rating. n8n's 95 prior CVEs signal a persistent security debt that warrants heightened scrutiny of the platform's security posture. In AI agent deployments, n8n routinely holds credentials to production databases containing sensitive pipeline data, amplifying blast radius well beyond the n8n instance itself. The OpenSSF Scorecard of 6.5/10 and package risk score of 69/100 reinforce that this package demands active patching discipline. The low absolute EPSS value is more than offset by the 88th percentile ranking and the near-zero exploit complexity inherent to SQL injection.

How does the attack unfold?

Initial Access

Adversary obtains a low-privilege n8n account with workflow creation or editing permissions via credential theft, phishing, or insider access.

AML.T0012

Exploitation

Attacker creates or modifies an n8n workflow containing a Postgres or TimescaleDB node, injecting malicious SQL payloads into the node's crafted parameters to bypass input validation.

AML.T0049

Command Execution

Injected SQL executes against the connected database with the n8n database account's full privileges, enabling schema enumeration, arbitrary data reads and writes, and potentially OS command execution via database extensions.

AML.T0050

Impact

Attacker exfiltrates all database contents—including RAG document chunks, LLM conversation logs, user PII, and cached API credentials—or corrupts data to poison AI pipeline knowledge bases and downstream model inputs.

AML.T0086

Initial Access

Adversary obtains a low-privilege n8n account with workflow creation or editing permissions via credential theft, phishing, or insider access.

AML.T0012

Exploitation

Attacker creates or modifies an n8n workflow containing a Postgres or TimescaleDB node, injecting malicious SQL payloads into the node's crafted parameters to bypass input validation.

AML.T0049

Command Execution

Injected SQL executes against the connected database with the n8n database account's full privileges, enabling schema enumeration, arbitrary data reads and writes, and potentially OS command execution via database extensions.

AML.T0050

Impact

Attacker exfiltrates all database contents—including RAG document chunks, LLM conversation logs, user PII, and cached API credentials—or corrupts data to poison AI pipeline knowledge bases and downstream model inputs.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.26.0, < 2.26.2	`2.26.2`
192.4K OpenSSF 6.5 Pushed 6d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

9.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

Upgrade n8n immediately to version 2.25.7 or 2.26.2.
If upgrade is not immediately possible, add 'n8n-nodes-base.postgres' and 'n8n-nodes-base.timescaleDb' to the NODES_EXCLUDE environment variable to disable the vulnerable nodes at the application layer.
Restrict workflow creation and editing permissions to fully trusted users only; audit existing role assignments and revoke unnecessary edit access.
Apply least privilege to the n8n database account—remove superuser, DDL, COPY FILE, and pg_execute_server_program privileges if present; use a dedicated read/write-only account scoped to n8n's required tables.
Audit existing workflow definitions for suspicious SQL parameter values (UNION SELECT, stacked queries, system function calls such as pg_read_file or pg_ls_dir).
Enable PostgreSQL query logging (log_min_duration_statement = 0 temporarily) and alert on anomalous SQL patterns originating from the n8n application user.

How is it classified?

Code Execution Data Extraction Data Leakage Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.2 - AI System Security by Design

NIST AI RMF

MS-2.5 - AI Risk Monitoring and Management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-54310?

n8n's TimescaleDB and legacy Postgres v1 workflow nodes fail to sanitize crafted parameters, allowing any authenticated user with workflow-edit rights to inject and execute arbitrary SQL against the connected database. With a CVSS of 9.9 and Changed Scope, a single compromised n8n account can fully compromise the underlying database—exfiltrating all records, corrupting data, and potentially escalating to host-level code execution via database extensions such as pg_execute_server_program or COPY TO PROGRAM. Although the absolute EPSS score is low at 0.00038, this sits in the top 88th percentile for exploitation likelihood, SQL injection techniques are trivially accessible, and n8n's widespread adoption as an AI agent orchestration layer means databases storing LLM outputs, RAG document chunks, user PII, and cached API keys are all in scope. Patch immediately to n8n 2.25.7 or 2.26.2; if downtime prevents immediate upgrade, disable the vulnerable nodes by adding n8n-nodes-base.postgres and n8n-nodes-base.timescaleDb to NODES_EXCLUDE and restrict workflow editing to fully trusted users only.

Is CVE-2026-54310 actively exploited?

No confirmed active exploitation of CVE-2026-54310 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54310?

1. Upgrade n8n immediately to version 2.25.7 or 2.26.2. 2. If upgrade is not immediately possible, add 'n8n-nodes-base.postgres' and 'n8n-nodes-base.timescaleDb' to the NODES_EXCLUDE environment variable to disable the vulnerable nodes at the application layer. 3. Restrict workflow creation and editing permissions to fully trusted users only; audit existing role assignments and revoke unnecessary edit access. 4. Apply least privilege to the n8n database account—remove superuser, DDL, COPY FILE, and pg_execute_server_program privileges if present; use a dedicated read/write-only account scoped to n8n's required tables. 5. Audit existing workflow definitions for suspicious SQL parameter values (UNION SELECT, stacked queries, system function calls such as pg_read_file or pg_ls_dir). 6. Enable PostgreSQL query logging (log_min_duration_statement = 0 temporarily) and alert on anomalous SQL patterns originating from the n8n application user.

What systems are affected by CVE-2026-54310?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, RAG pipelines, Data pipelines, Model serving backends.

What is the CVSS score for CVE-2026-54310?

CVE-2026-54310 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.04%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksRAG pipelinesData pipelinesModel serving backends

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.2

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create or modify workflows could supply a crafted parameters to the TimescaleDB and/or legacy Postgres v1 node's allowing arbitrary SQL to be injected and executed against the connected database within the privileges of the configured database account. ## Patches The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Postgres and TimescaleDB node by adding `n8n-nodes-base.postgres`, `n8n-nodes-base.timescaleDb` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a standard n8n user account—obtained via credential stuffing, phishing a workflow editor, or insider access—creates a new workflow containing a Postgres or TimescaleDB node. They craft the node's query parameter to embed a stacked SQL statement, for example appending '; SELECT pg_read_file('/etc/passwd')--' or injecting a UNION SELECT to dump all table contents into the query result. In AI agent deployments where n8n orchestrates tool calls and persists LLM outputs and RAG document chunks to Postgres, the attacker exfiltrates all stored conversation history, user PII, and any API keys cached in the database within a single workflow execution. If the n8n database account holds superuser privileges—common in default Docker-based self-hosted installations—the attacker further invokes COPY TO PROGRAM or a custom extension to execute OS commands on the database host, achieving full server compromise from a single low-privilege n8n session.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.