CVE-2026-42237
published 2026-05-04CVE-2026-42237: n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake…
PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.25%
16.6th percentile
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n-io | n8n | < 1.123.32 | 1.123.32 |
| n8n-io | n8n | — | — |
| n8n-io | n8n | — | — |
| n8n | n8n | < 1.123.32 | 1.123.32 |
| n8n | n8n | — | — |
| n8n | n8n | >= 0 < 1.123.32 | 1.123.32 |
| n8n | n8n | >= 2.0.0 < 2.17.4 | 2.17.4 |
| n8n | n8n | >= 2.17.0 < 2.17.4 | 2.17.4 |
| n8n | n8n | >= 2.18.0 < 2.18.1 | 2.18.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
n8n-io n8n up to 1.123.31/2.17.3/2.18.0 Query String sql injection (GHSA-hp3c-vfpm-q4f7)
vuldb·2026-05-04·CVSS 5.3
CVE-2026-42237 [MEDIUM] n8n-io n8n up to 1.123.31/2.17.3/2.18.0 Query String sql injection (GHSA-hp3c-vfpm-q4f7)
A vulnerability was found in n8n-io n8n up to 1.123.31/2.17.3/2.18.0 and classified as critical. Impacted is an unknown function of the component Query String Handler. Executing a manipulation can lead to sql injection.
This vulnerability is handled as CVE-2026-42237. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
n8n has SQL Injection in Snowflake and MySQL Nodes
ghsa·2026-04-29
CVE-2026-42237 [MEDIUM] CWE-89 n8n has SQL Injection in Snowflake and MySQL Nodes
n8n has SQL Injection in Snowflake and MySQL Nodes
## Impact
The fix for [GHSA-f3f2-mcxc-pwjx](https://github.com/advisories/GHSA-f3f2-mcxc-pwjx) did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database.
Exploitation requires a specific workflow configuration:
- The Snowflake or MySQL v1 node must be used with user-controlled input passed via expressions (e.g., from a form or webhook) into identifier fields such as table name, column name, or update key.
Successful exploitation could allow data exfiltration, modification, or deletion on the downstream database.
##
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published