Intelligence
criticalVulnerabilityActive

n8n Merge Node SQL Injection Leading to RCE via AlaSQL Sandbox Escape

Authenticated users can bypass AlaSQL sandbox restrictions in n8n's Merge node to execute arbitrary SQL, read sensitive files, and achieve remote code execution. This PoC demonstrates insufficient input validation in what should be a restricted query execution environment.

S
Sebastion

CVE References

CVE-2026-33660

Affected

n8n/n8n

Vulnerability Description

This vulnerability exists in the Merge node's "Combine by SQL" mode, which uses AlaSQL as a query engine. AlaSQL is a lightweight in-memory SQL database designed for JavaScript environments, but the n8n implementation failed to implement sufficient sandboxing controls. The vulnerability class is sandbox escape via SQL injection, where the AlaSQL query processor does not adequately restrict dangerous SQL statements or functions that can read file systems or execute system commands through JavaScript interop features.

Proof-of-Concept Significance

The PoC demonstrates that an authenticated user with workflow creation/modification permissions can craft malicious SQL statements within the Merge node configuration. The precondition is workflow editing access—a common privilege for legitimate users. This is significant because it means the attack surface includes internal users, not just unauthenticated attackers. The PoC proves that AlaSQL's isolation is insufficient and that no input validation layer exists to block dangerous constructs.

Detection Guidance

Defenders should monitor for:

  • Merge node configuration changes in workflow audit logs, especially modifications to the SQL mode parameters
  • Unusual SQL statements containing file system operations, JavaScript function calls, or administrative functions
  • Spike in file read operations on n8n host instances, particularly attempts to access /etc/, environment configuration files, or SSH keys
  • AlaSQL execution logs (if available) showing SQL injection patterns or JavaScript injection attempts
  • Process spawning from n8n runtime (node.js) that correlates with workflow execution

Mitigation Steps

Immediate patching is the primary remediation:

  • Upgrade to n8n 2.14.1, 2.13.3, or 1.123.27 or later

Temporary workarounds if patching is delayed:

  1. Restrict workflow creation and editing permissions to a minimal set of trusted users via role-based access control
  2. Disable the Merge node entirely by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable
  3. Audit all existing workflows using Merge nodes with SQL mode enabled and review their logic
  4. Implement file system access controls to limit n8n process permissions (principle of least privilege)

Risk Assessment

Likelihood of exploitation is high given:

  • Requires only authenticated access (low barrier for insider threats or compromised accounts)
  • Merge node is commonly used for data transformation workflows
  • Remote code execution provides full system compromise
  • Threat actors with supply chain or insider access find this appealing

This vulnerability is attractive because it provides authenticated RCE without requiring additional exploitation chains, making it a high-value target for malware operators and APT groups targeting workflow automation infrastructure.

Sources

pocsql-injectionsandbox-escaperceauthenticated-attackalasqlworkflow-automation
Back to intelligence