CVE-2026-42233

CRITICAL

n8n: SQL Injection in Oracle Database Node via Limit Field

Title source: cna

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 17.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (8)

n8n/n8n 2.18.0

n8n/n8n < 1.123.32

n8n-io/n8n < 1.123.32

n8n-io/n8n >= 2.17.0, < 2.17.4

n8n-io/n8n >= 2.18.0, < 2.18.1

npm/n8n 0 - 1.123.32npm

npm/n8n 2.0.0 - 2.17.4npm

npm/n8n 2.18.0 - 2.18.1npm

Published May 04, 2026

Tracked Since May 05, 2026