CVE-2026-42229
published 2026-05-04CVE-2026-42229: n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get…
PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.34%
26.1th percentile
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n-io | n8n | < 1.123.32 | 1.123.32 |
| n8n-io | n8n | — | — |
| n8n-io | n8n | — | — |
| n8n | n8n | < 1.123.32 | 1.123.32 |
| n8n | n8n | — | — |
| n8n | n8n | >= 0 < 1.123.32 | 1.123.32 |
| n8n | n8n | >= 2.0.0 < 2.17.4 | 2.17.4 |
| n8n | n8n | >= 2.17.0 < 2.17.4 | 2.17.4 |
| n8n | n8n | >= 2.18.0 < 2.18.1 | 2.18.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
n8n-io n8n up to 1.123.31/2.17.3/2.18.0 Query String sql injection (GHSA-mp4j-h6gh-f6mp)
vuldb·2026-05-04·CVSS 5.3
CVE-2026-42229 [MEDIUM] n8n-io n8n up to 1.123.31/2.17.3/2.18.0 Query String sql injection (GHSA-mp4j-h6gh-f6mp)
A vulnerability classified as critical has been found in n8n-io n8n up to 1.123.31/2.17.3/2.18.0. This affects an unknown function of the component Query String Handler. Performing a manipulation results in sql injection.
This vulnerability is reported as CVE-2026-42229. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
n8n has SQL Injection in SeaTable Node
ghsa·2026-04-29
CVE-2026-42229 [MEDIUM] CWE-89 n8n has SQL Injection in SeaTable Node
n8n has SQL Injection in SeaTable Node
## Impact
A flaw in the SeaTable node's `row:search` and `row:get` operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow.
Exploitation requires a specific workflow configuration:
- The SeaTable node must be used with user-controlled input passed via expressions (e.g., from a form or webhook) into the `searchTerm` or `rowId` parameters.
## Patches
The issue has been fixed in n8
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published