CVE-2026-42233 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 6, 2026
n8n - SQL Injection
Published: May 4, 2026Updated: May 6, 2026Remote Exploitable
Overview
n8n < 1.123.32, < 2.17.4, and < 2.18.1 contains a SQL injection caused by unsanitized user input in the Oracle Database node's Limit field, letting attackers execute arbitrary SQL and exfiltrate data, exploit requires external input in workflows.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can execute arbitrary SQL queries to exfiltrate data from the connected Oracle database.
Mitigation
Upgrade to versions 1.123.32, 2.17.4, or 2.18.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-42233
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- sql_injection
- Status
- confirmed
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H