Search for vulnerabilities
| Vulnerability ID | VCID-8zpu-gnub-2bb8 |
| Aliases |
CVE-2026-44792
GHSA-mhrx-qhrj-673w |
| Summary | n8n Has a Source Control Pull SQL Injection ## Impact An attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection on the internal PostgreSQL instance. Exploitation requires all of the following conditions: - The n8n instance uses PostgreSQL as its database backend. - The Source Control feature is enabled and connected to a repository the attacker can write to. - An administrator triggers a Source Control Pull. ## Patches The issue has been fixed in n8n version 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to this version or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Disable the Source Control feature if it is not actively required. - Restrict write access to the connected git repository to fully trusted users only. - Avoid pulling from repositories that may have been modified by untrusted parties. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 8.0 |
| Risk | 4.0 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.0004 | https://api.first.org/data/v1/epss?cve=CVE-2026-44792 |
| cvssv3.1_qr | HIGH | https://github.com/advisories/GHSA-mhrx-qhrj-673w |
| cvssv4 | 8.9 | https://github.com/n8n-io/n8n |
| generic_textual | HIGH | https://github.com/n8n-io/n8n |
| cvssv3.1_qr | HIGH | https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w |
| cvssv4 | 8.9 | https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w |
| generic_textual | HIGH | https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w |
| Reference id | Reference type | URL |
|---|---|---|
| https://api.first.org/data/v1/epss?cve=CVE-2026-44792 | ||
| https://github.com/n8n-io/n8n | ||
| https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w | ||
| GHSA-mhrx-qhrj-673w | https://github.com/advisories/GHSA-mhrx-qhrj-673w |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Percentile | 0.12411 |
| EPSS Score | 0.0004 |
| Published At | June 12, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-12T07:51:57.728877+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mhrx-qhrj-673w/GHSA-mhrx-qhrj-673w.json | 38.6.0 |