CVE-2026-42237 Overview
CVE-2026-42237 is a SQL injection vulnerability in n8n, an open source workflow automation platform. The flaw resides in the Snowflake node and the legacy MySQL v1 node, both of which build SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping. This issue extends a prior fix tracked as GHSA-f3f2-mcxc-pwjx, which did not cover these two nodes. An authenticated attacker with workflow editing privileges can inject arbitrary SQL against the connected database. Maintainers patched the flaw in versions 1.123.32, 2.17.4, and 2.18.1.
Critical Impact
Authenticated workflow operators can execute arbitrary SQL statements against connected Snowflake or MySQL databases, compromising data confidentiality and integrity beyond the n8n trust boundary.
Affected Products
- n8n versions prior to 1.123.32 (1.x branch)
- n8n versions prior to 2.17.4 (2.17 branch)
- n8n versions prior to 2.18.1, including 2.18.0
Discovery Timeline
- 2026-05-04 - CVE-2026-42237 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42237
Vulnerability Analysis
The vulnerability is classified as SQL Injection [CWE-89]. It affects two database nodes shipped with n8n: the Snowflake node and the legacy MySQL v1 node. Both nodes accept user-controlled values for table names, column names, and update keys when configuring workflow operations.
Instead of escaping these identifiers or binding them through parameterized APIs, the nodes concatenate the values directly into the resulting SQL query strings. An attacker who can edit or trigger a workflow can therefore introduce arbitrary SQL fragments into queries executed against the backing database.
The scope impact extends beyond n8n itself. Successful exploitation operates within the privileges of the configured database credentials, which often include write access to production data warehouses or transactional databases.
Root Cause
The root cause is missing identifier escaping in query construction logic. SQL identifiers such as table and column names cannot be parameterized through standard prepared statements and instead require driver-specific quoting. The original remediation for GHSA-f3f2-mcxc-pwjx introduced safe escaping for several nodes but omitted the Snowflake and legacy MySQL v1 implementations, leaving identifier interpolation intact in those code paths.
Attack Vector
Exploitation requires network access to the n8n instance and authenticated low-privilege access sufficient to configure or run workflows that use the Snowflake or MySQL v1 nodes. The attacker supplies malicious payloads in fields treated as identifiers, breaking out of the intended identifier context to append arbitrary SQL clauses. No user interaction is required once a tampered workflow executes. The vulnerability manifests during query construction inside the affected nodes; refer to the n8n GitHub Security Advisory GHSA-hp3c-vfpm-q4f7 for technical details.
Detection Methods for CVE-2026-42237
Indicators of Compromise
- Workflow definitions referencing the Snowflake node or legacy MySQL v1 node with non-standard characters such as backticks, quotes, semicolons, or comment markers in table or column name fields.
- Database audit logs showing unexpected UNION, DROP, INSERT, or schema enumeration statements originating from the n8n service account.
- n8n execution logs containing workflow runs that produced syntactically malformed or unusually long SQL queries against Snowflake or MySQL targets.
Detection Strategies
- Inventory all workflows that invoke the Snowflake node or MySQL v1 node and review their identifier fields for static, expected values only.
- Correlate n8n workflow execution events with database query logs to flag dynamic identifiers sourced from expressions or external inputs.
- Alert on n8n service account database sessions issuing data definition language (DDL) or cross-schema queries inconsistent with normal workflow behavior.
Monitoring Recommendations
- Enable verbose query logging on Snowflake and MySQL targets used by n8n and forward events to a centralized analytics platform.
- Monitor n8n audit logs for workflow edits to nodes affected by GHSA-hp3c-vfpm-q4f7, especially by non-administrator users.
- Track outbound data volumes from databases connected to n8n to identify potential exfiltration attempts driven by injected SELECT statements.
How to Mitigate CVE-2026-42237
Immediate Actions Required
- Upgrade n8n to version 1.123.32, 2.17.4, or 2.18.1 depending on the deployed branch.
- Audit existing workflows that use the Snowflake or legacy MySQL v1 nodes and validate that identifier fields contain only trusted, static values.
- Rotate database credentials used by n8n if exploitation is suspected, and review database audit logs for unauthorized statements.
Patch Information
Maintainers released fixes in n8n 1.123.32, 2.17.4, and 2.18.1. The patches add identifier escaping to the Snowflake node and the legacy MySQL v1 node, aligning their query construction with the remediation previously applied for GHSA-f3f2-mcxc-pwjx. Refer to the n8n GitHub Security Advisory GHSA-hp3c-vfpm-q4f7 for the authoritative fix details.
Workarounds
- Migrate workflows from the legacy MySQL v1 node to the current MySQL node, which is not affected by this issue.
- Restrict the database privileges of the account used by n8n to the minimum required tables and operations to limit injection impact.
- Limit workflow editing permissions in n8n to a small, trusted set of users until patched versions are deployed.
# Upgrade n8n via npm to a fixed release
npm install -g n8n@2.18.1
# Or pin a fixed Docker image version
docker pull n8nio/n8n:2.18.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
