Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-42233

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

View on NVD

Analysis

n8n workflows using the Oracle Database node are vulnerable to SQL injection via the Limit field. If your automation accepts external input (such as webhooks) that reaches these nodes, an attacker could exfiltrate data from your connected database. Users should upgrade to version 1.123.32, 2.17.4, or 2.18.1 to mitigate this risk.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-89

EPSS

Probability of exploitation (next 30 days): 0.0005 (0.0%)
Percentile: 14.1%
EPSS: 2026-05-06

Affects

n8n:n8n

Technical description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Published: 5/4/2026, 7:16:05 PM
Last modified: 5/6/2026, 6:07:22 PM

References

HomeEventsBlogResourcesTeam