Audit8n
Security issue

SQL injection risk in n8n

Why building SQL queries with string concatenation puts your database at risk

What is this issue?

SQL injection occurs when user input is directly concatenated into SQL queries instead of using parameterized queries. This allows attackers to manipulate your database queries and potentially access, modify, or delete data.

Vulnerable patterns detected:

  • SELECT * FROM users WHERE id = '${id}'
  • String concatenation with + or template literals
  • User input from webhooks used directly in queries
  • Dynamic table or column names from external input

Why is this dangerous?

Data breach

Attackers can extract sensitive data from your entire database, including other tables you didn't intend to query.

Data manipulation

Malicious input can modify or delete data, corrupting your database integrity.

Authentication bypass

SQL injection can bypass login checks, giving attackers admin access.

Remote code execution

In some databases, SQL injection can lead to operating system command execution.

How to fix it

  1. 1

    Use parameterized queries

    In Postgres/MySQL nodes, use $1, $2, :param syntax instead of string interpolation. Pass values as parameters.

  2. 2

    Validate and sanitize input

    Before using any external input, validate it matches expected patterns (e.g., numeric ID should only contain digits).

  3. 3

    Use ORM operations

    When possible, use n8n's built-in operations (Get, Create, Update) instead of raw SQL queries.

  4. 4

    Implement least privilege

    Use database users with minimal required permissions. Don't connect with admin credentials.

Scan your workflow now

Upload your n8n workflow JSON and instantly detect SQL injection risks and other database security issues.

Scan for SQL injection

Related resources

Related security issues

Hardcoded credentialsSSRF vulnerabilityRCE risk (Execute Command)