SQL Injection Affecting @n8n/api-types package, versions <1.20.1>=1.21.0 <1.21.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-N8NAPITYPES-16726403
- published17 May 2026
- disclosed12 May 2026
- creditSeungMyung Lee
Introduced: 12 May 2026
NewCVE-2026-44792 (opens in a new tab)How to fix?
Upgrade @n8n/api-types to version 1.20.1, 1.21.1 or higher.
Overview
@n8n/api-types is a fair-code workflow automation platform with native AI capabilities
Affected versions of this package are vulnerable to SQL Injection in the process of importing a Data Table JSON file during a Source Control Pull operation. An attacker who can write to the git repository behind an n8n instance's Source Control configuration can cause the execution of SQL commands by committing a malicious file with a column name containing control characters to the repository, and convincing a user to perform a pull operation on it. This is only exploitable if the instance uses PostgreSQL as its database backend, the Source Control feature is enabled.