CVE-2026-42237

n8n: SQL Injection in Snowflake and MySQL Nodes

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

INFO

Published Date :

2026-05-04T18:39:56.263Z

Last Modified :

2026-05-04T20:17:39.624Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-42237 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42237.

URL	Resource
https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability