{"id":"GHSA-r6jc-mpqw-m755","summary":"n8n has SQL Injection in Oracle Database Node via Limit Field","details":"## Impact\nA flaw in the Oracle Database node's select operation allowed user-controlled input passed into the `Limit` field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the `Limit` field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database.\n\nExploitation requires a specific workflow configuration:\n- The Oracle Database node must be used with user-controlled input passed via expressions into the `Limit` field.\n- Authentication requirements depend on the workflow's configuration (e.g., an unauthenticated webhook endpoint would allow unauthenticated exploitation).\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Oracle Database node by adding `n8n-nodes-base.oracleDatabase` to the `NODES_EXCLUDE` environment variable.\n- Avoid passing unvalidated external user input into the Oracle Database node's `Limit` field via expressions.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","aliases":["CVE-2026-42233"],"modified":"2026-05-08T01:50:24.664082Z","published":"2026-04-29T21:08:27Z","database_specific":{"github_reviewed":true,"severity":"MODERATE","github_reviewed_at":"2026-04-29T21:08:27Z","nvd_published_at":"2026-05-04T19:16:05Z","cwe_ids":["CWE-20","CWE-89"]},"references":[{"type":"WEB","url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42233"},{"type":"PACKAGE","url":"https://github.com/n8n-io/n8n"}],"affected":[{"package":{"name":"n8n","ecosystem":"npm","purl":"pkg:npm/n8n"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.123.32"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r6jc-mpqw-m755/GHSA-r6jc-mpqw-m755.json"}},{"package":{"name":"n8n","ecosystem":"npm","purl":"pkg:npm/n8n"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.18.0"},{"fixed":"2.18.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r6jc-mpqw-m755/GHSA-r6jc-mpqw-m755.json"}},{"package":{"name":"n8n","ecosystem":"npm","purl":"pkg:npm/n8n"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0"},{"fixed":"2.17.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r6jc-mpqw-m755/GHSA-r6jc-mpqw-m755.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"}]}