Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n includes Snowflake and legacy MySQL v1 nodes that build SQL statements by directly appending user-controlled table names, columns, and update keys without escaping. The flaw allows a malicious actor to inject arbitrary SQL, potentially reading or modifying data in the connected Snowflake or MySQL databases. This is a classic input validation issue, identified as CWE-89. The impact is the exposure of sensitive data and unintended database modifications, but it does not provide direct remote code execution.

Affected Systems

The vulnerability affects the n8n open source workflow automation platform. Versions prior to 1.123.32, 2.17.4, or 2.18.1 are impacted for the Snowflake and legacy MySQL v1 nodes. The product owner is n8n-io under the n8n product line.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The likely attack vector requires an adversary that can configure or inject values into the Snowflake or MySQL node definitions, which may be achievable through compromised accounts or by injecting crafted payloads into workflow configurations.

Generated by OpenCVE AI on May 4, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to n8n version 1.123.32, 2.17.4, or 2.18.1 or later to apply the vendor fix.
  • If an upgrade is not immediately possible, limit the database credentials used by the nodes to the least privileges required and verify that no untrusted input reaches the node configuration.
  • As a temporary measure, disable the Snowflake and legacy MySQL v1 nodes or replace them with secure alternatives until a patch can be applied.

Generated by OpenCVE AI on May 4, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Title n8n: SQL Injection in Snowflake and MySQL Nodes
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T20:17:39.624Z

Reserved: 2026-04-25T05:37:12.117Z

Link: CVE-2026-42237

cve-icon Vulnrichment

Updated: 2026-05-04T20:17:36.710Z

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:06.483

Modified: 2026-05-04T19:16:06.483

Link: CVE-2026-42237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:00:09Z

Weaknesses