Skip to main content

n8n EUVDEUVD-2026-27107

| CVE-2026-42233 MEDIUM
Improper Input Validation (CWE-20)
2026-04-29 https://github.com/n8n-io/n8n GHSA-r6jc-mpqw-m755
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 04, 2026 - 20:01 EUVD
CVSS changed
May 04, 2026 - 19:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 21:30 vuln.today
CVE Published
Apr 29, 2026 - 21:08 nvd
MEDIUM

DescriptionGitHub Advisory

Impact

A flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database.

Exploitation requires a specific workflow configuration:

  • The Oracle Database node must be used with user-controlled input passed via expressions into the Limit field.
  • Authentication requirements depend on the workflow's configuration (e.g., an unauthenticated webhook endpoint would allow unauthenticated exploitation).

Patches

The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Limit workflow creation and editing permissions to fully trusted users only.
  • Disable the Oracle Database node by adding n8n-nodes-base.oracleDatabase to the NODES_EXCLUDE environment variable.
  • Avoid passing unvalidated external user input into the Oracle Database node's Limit field via expressions.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

SQL injection in n8n's Oracle Database node allows attackers to inject arbitrary SQL commands through the Limit field when user-controlled input is passed via expressions, enabling data exfiltration from connected Oracle databases. Exploitation requires a specific workflow configuration where external input (e.g., from webhooks) reaches the Limit field; authentication depends on the webhook's access controls. The vulnerability affects n8n versions prior to 1.123.32, 2.17.4, and 2.18.1, and vendor-released patches are available.

Technical ContextAI

n8n is a workflow automation platform that includes pre-built nodes for integrating with external services, including Oracle Database. The Oracle Database node's select operation constructs SQL queries dynamically by interpolating user-provided parameters directly into the query string without parameterized query mechanisms or input sanitization. The vulnerability stems from improper input validation (CWE-20) in the Limit field, which accepts expressions that bypass SQL injection protections. When a workflow receives external input via webhook or other trigger mechanisms and passes that input through expressions into the Limit field, the unsanitized value is concatenated directly into the SQL query executed against the Oracle database backend.

RemediationAI

Immediate remediation requires upgrading to patched versions: n8n 1.123.32 or later for 1.x deployments, n8n 2.17.4 for 2.x deployments in the 2.17 branch, or n8n 2.18.1 or later for 2.18+ deployments. Administrators unable to patch immediately should implement these compensating controls in order of priority: (1) Disable the Oracle Database node entirely by adding n8n-nodes-base.oracleDatabase to the NODES_EXCLUDE environment variable-this eliminates the attack surface but prevents any Oracle workflows from running; (2) Restrict workflow creation and editing permissions to fully trusted internal users only, preventing external or untrusted users from modifying workflows to inject malicious input; (3) Audit all existing workflows using the Oracle Database node and verify that the Limit field does not accept external input via expressions-modify workflows to use hardcoded, validated limit values instead. Workarounds do not fully remediate risk and are temporary measures only. Patch immediately when feasible.

Share

EUVD-2026-27107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy