CVE-2026-42233 Overview
CVE-2026-42233 is a SQL injection vulnerability in n8n, an open source workflow automation platform. The flaw resides in the Oracle Database node's select operation, where user-controlled input passed to the Limit field via expressions is interpolated directly into the SQL query. The platform performs no sanitization or parameterization on this value. Attackers who can supply input to the Limit field, such as through a webhook trigger, can inject arbitrary SQL statements. Successful exploitation allows data exfiltration from the connected Oracle database. The issue is tracked under [CWE-89] and was patched in n8n versions 1.123.32, 2.17.4, and 2.18.1.
Critical Impact
Authenticated attackers can inject arbitrary SQL through workflow expressions and exfiltrate data from connected Oracle databases.
Affected Products
- n8n versions prior to 1.123.32
- n8n versions prior to 2.17.4 in the 2.17.x branch
- n8n versions prior to 2.18.1 in the 2.18.x branch
Discovery Timeline
- 2026-05-04 - CVE-2026-42233 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42233
Vulnerability Analysis
The vulnerability resides in the Oracle Database node within n8n workflows. The node exposes a Limit parameter that users can populate using n8n expressions, which evaluate at runtime against incoming workflow data. When the Oracle node constructs its SQL query, it concatenates the resolved Limit value directly into the query string. Parameterized queries or bind variables are not used for this field. Any caller able to influence the expression input controls a portion of the executed SQL. The vulnerability falls under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Root Cause
The root cause is the absence of input validation and query parameterization in the Oracle node's select operation. The Limit field accepts arbitrary string values from expressions and inserts them into the final SQL statement through string interpolation. The node does not enforce a numeric type constraint on the field before query construction.
Attack Vector
Exploitation requires a workflow that wires external input into the Limit field of the Oracle Database node. A typical scenario involves a webhook trigger feeding request parameters into the expression. An attacker sends a crafted HTTP request to the webhook with a payload that breaks out of the numeric Limit context and appends arbitrary SQL clauses such as UNION SELECT statements. The injected SQL executes with the privileges of the configured Oracle database connection, enabling data exfiltration from any tables accessible to that account.
No verified proof-of-concept code is published. Refer to the GitHub Security Advisory GHSA-r6jc-mpqw-m755 for vendor-supplied technical details.
Detection Methods for CVE-2026-42233
Indicators of Compromise
- Oracle database audit logs containing unexpected UNION, SELECT, or comment sequences (--, /*) in queries originating from the n8n service account
- Webhook request logs with non-numeric or oversized values targeting fields bound to Limit expressions
- Anomalous query volume or response sizes from the Oracle connection used by n8n workflows
Detection Strategies
- Audit n8n workflow definitions for Oracle Database nodes where the Limit field references expressions sourced from $json, webhook bodies, or query parameters
- Enable Oracle database query auditing on accounts used by n8n and alert on syntactically unusual statements containing tautologies or stacked clauses
- Inspect n8n execution logs for runs where webhook payloads contained SQL metacharacters in fields routed to Oracle nodes
Monitoring Recommendations
- Forward n8n execution logs and Oracle audit trails to a centralized SIEM for correlation
- Baseline normal query patterns from the n8n Oracle service account and alert on deviations in row counts or accessed tables
- Monitor outbound network traffic from n8n hosts for unusual volumes that may indicate data exfiltration
How to Mitigate CVE-2026-42233
Immediate Actions Required
- Upgrade n8n to version 1.123.32, 2.17.4, or 2.18.1 depending on the deployed release branch
- Audit existing workflows for Oracle Database nodes whose Limit field is populated from expressions tied to external input
- Rotate Oracle database credentials used by n8n if compromise is suspected and review database audit logs for the exposure window
Patch Information
The vendor released patched builds in versions 1.123.32, 2.17.4, and 2.18.1. Details and remediation guidance are available in the n8n GitHub Security Advisory GHSA-r6jc-mpqw-m755.
Workarounds
- Replace expression-driven Limit values with hard-coded numeric constants until upgrade is complete
- Restrict the Oracle database account used by n8n to read-only privileges on the minimum set of required tables
- Place webhook endpoints behind authentication and validate that input fields used in workflows match expected numeric types before they reach the Oracle node
# Upgrade example for self-hosted n8n via npm
npm install -g n8n@2.18.1
# Or pull the patched Docker image
docker pull n8nio/n8n:2.18.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
