Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Oracle Database node’s select operation permits user-controlled input supplied to the Limit field through expressions to be concatenated directly into the SQL statement without sanitization or parameterization. This is an instance of SQL injection (CWE‑89) that enables an attacker who can influence the Limit value to inject arbitrary SQL commands and exfiltrate data from the connected Oracle database.

Affected Systems

The vulnerability affects n8n open‑source workflow automation platform versions older than 1.123.32, 2.17.4, and 2.18.1. Any workflow using the Oracle Database node with a Limit field populated from external sources such as webhooks is susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog, suggesting limited known exploitation. The attack would typically require an attacker to insert an expression into the Limit field—such as via a crafted webhook request—to trigger the injection and retrieve data. If the target database user has sufficient privileges, the attacker could read sensitive information, potentially compromising confidentiality and integrity of the data layer.

Generated by OpenCVE AI on May 4, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to at least version 1.123.32, 2.17.4, or 2.18.1 where the Oracle Database node sanitizes the Limit field
  • Restrict the Limit field in your workflows so that only trusted, non-external expressions are allowed; validate or sanitize any input that may reach this field
  • Ensure the Oracle database account used by n8n has the minimum privileges required for workflow operations, limiting the potential impact of any successful injection

Generated by OpenCVE AI on May 4, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Title n8n: SQL Injection in Oracle Database Node via Limit Field
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T18:35:42.298Z

Reserved: 2026-04-25T05:37:12.117Z

Link: CVE-2026-42233

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:05.847

Modified: 2026-05-04T19:16:05.847

Link: CVE-2026-42233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses