CVE-2026-59257
NixOS 취약성 분석 및 완화

개요

CVE-2026-59257 is a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation within the n8n workflow automation platform. The flaw affects n8n versions before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1. It was published on July 8, 2026, with the original advisory (GHSA-hwmj-qg4v-cvg9) published by the n8n maintainers on June 24, 2026. The vulnerability carries a CVSS v3.1 base score of 8.8 (High) and a CVSS v4.0 base score of 5.3 (Medium) (GitHub Advisory, Github Advisory).

기술적 세부 사항

The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), classified as a classic SQL injection. The MySQL v1 node's executeQuery operation interpolates evaluated {{ ... }} expression values directly into raw SQL strings without using parameterized queries or prepared statements. When a workflow connects this node to an externally-reachable trigger — such as a Webhook node — attacker-controlled HTTP input flows into those expressions and is embedded unsanitized into the SQL query, enabling arbitrary SQL execution. The MySQL v2 node is not affected because it uses parameterized queries by design (GitHub Advisory, Github Advisory).

영향

Successful exploitation allows an attacker to execute arbitrary SQL commands with the full privileges of the MySQL credentials configured in the affected workflow, enabling unauthorized disclosure, modification, or deletion of data in the downstream database. Because n8n workflows often integrate with sensitive business data sources, the blast radius can extend beyond a single database to any system accessible via the compromised MySQL credentials. The subsequent system confidentiality and integrity impacts are rated High under CVSS v4.0, reflecting the potential for significant data exposure and tampering (GitHub Advisory, Github Advisory).

착취 단계

  1. Reconnaissance: Identify publicly accessible n8n instances running vulnerable versions (before 1.123.61, 2.27.4, or 2.28.1) using tools like Shodan or Censys, searching for n8n webhook endpoints.
  2. Identify target webhook: Enumerate or guess active webhook URLs exposed by the n8n instance (e.g., /webhook/<uuid>). These are often predictable or discoverable via error messages or documentation.
  3. Craft malicious payload: Construct an HTTP request (GET or POST) to the webhook endpoint with SQL injection payloads embedded in input fields that are mapped to {{ ... }} expressions used in the MySQL v1 executeQuery node (e.g., ' OR '1'='1 or '; DROP TABLE users; --).
  4. Trigger workflow execution: Send the crafted request to the webhook, causing n8n to evaluate the expression and interpolate the attacker-controlled value directly into the raw SQL query string.
  5. Execute arbitrary SQL: The injected SQL is executed against the configured MySQL database with the credentials' full privileges, enabling data exfiltration (e.g., UNION SELECT attacks), data manipulation, or — if the MySQL user has FILE or EXECUTE privileges — potential OS-level command execution (GitHub Advisory, Github Advisory).

타협의 징후

  • Network: Unusual or malformed HTTP requests to n8n webhook endpoints (/webhook/<uuid>) containing SQL metacharacters (e.g., single quotes, UNION, SELECT, DROP, --, ;) in query parameters or POST body fields.
  • Logs: n8n execution logs showing MySQL v1 executeQuery node errors or unexpected query structures; MySQL general query logs recording anomalous SQL statements (e.g., UNION SELECT, stacked queries, or queries referencing information_schema) originating from the n8n service account.
  • Database: Unexpected changes to database tables, new user accounts created in MySQL, or evidence of data exfiltration (large SELECT queries returning unusual volumes of data) under the n8n MySQL credentials.
  • Process: Unusual child processes spawned from the n8n Node.js process if the MySQL user has OS-level command execution privileges (e.g., via SELECT ... INTO OUTFILE or UDF abuse).

완화 및 해결 방법

Upgrade n8n to version 1.123.61, 2.27.4, or 2.28.1 (or later), which contain the fix for this vulnerability. If immediate upgrading is not possible, the following temporary mitigations should be applied: disable the MySQL node by adding n8n-nodes-base.mySql to the NODES_EXCLUDE environment variable; require authentication on all webhook endpoints used in workflows containing MySQL v1 executeQuery nodes; or migrate affected workflows to the MySQL v2 node, which uses parameterized queries and is not vulnerable. These workarounds do not fully remediate the risk and should only be used as short-term measures (GitHub Advisory).

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 NixOS 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-59257MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-59253MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-56778MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-56776MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-56775MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자