CVE-2026-42237 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 6, 2026
n8n - SQL Injection
Published: May 4, 2026Updated: May 6, 2026Remote Exploitable
Overview
n8n < 1.123.32, 2.17.4, 2.18.1 contains a SQL injection caused by direct interpolation of user-controlled table names, column names, and update keys in Snowflake and legacy MySQL v1 nodes, letting attackers execute arbitrary SQL queries, exploit requires user input control.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers can execute arbitrary SQL queries on the connected database, potentially leading to data theft or modification.
Mitigation
Update to versions 1.123.32, 2.17.4, or 2.18.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-42237
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- confirmed
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H