SQL Injection Vulnerability in n8n Workflow Automation Platform
CVE-2026-42237

5.3MEDIUM

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42237?

The n8n Workflow Automation Platform has a vulnerability that allows SQL injection through its Snowflake and legacy MySQL v1 nodes, enabling attackers to manipulate SQL queries by directly embedding user-controlled parameters into the query strings without proper escaping. This flaw, if exploited, can lead to unauthorized access to the connected database, posing a significant security risk. Users are advised to update to the patched versions 1.123.32, 2.17.4, or 2.18.1 to mitigate this issue.

Affected Version(s)

n8n < 1.123.32 < 1.123.32

n8n >= 2.17.0, < 2.17.4 < 2.17.0, 2.17.4

n8n >= 2.18.0, < 2.18.1 < 2.18.0, 2.18.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-hp...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42237 Data

JSON

N8n-io

What is CVE-2026-42237?

Affected Version(s)

References

CVSS V4

Timeline