n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression

Description

A vulnerability identified as critical has been detected in n8n-io n8n up to 1.123.25/2.13.2/2.14.0. This issue affects some unknown processing of the component Environment Variable Handler. Performing a manipulation of the argument NODES_EXCLUDE results in SQL injection. The attack may be initiated remotely.

Affected Products

Vendor	Product	Versions
n8n-io	n8n	< 1.123.26, >= 2.0.0-rc.0, < 2.13.3, = 2.14.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-33713 | n8n-io n8n up to 1.123.25/2.13.2/2.14.0 Environment Variable NODES_EXCLUDE sql injection (GHSA-98c2-4cr3-4jc3)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-89

Published3/25/2026

Last enriched4h agov2

Trending Score45

Source articles1

Independent1

Info Completeness7/14

Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, marked as actively exploited, and provided a more detailed description of the vulnerability.

descriptionseverityactivelyExploited

via VulDB

v14h ago

Initial creation