GHSA-hp3c-vfpm-q4f7

Suggest an improvement
Source
https://github.com/advisories/GHSA-hp3c-vfpm-q4f7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hp3c-vfpm-q4f7/GHSA-hp3c-vfpm-q4f7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hp3c-vfpm-q4f7
Aliases
  • CVE-2026-42237
Published
2026-04-29T21:03:29Z
Modified
2026-05-08T01:50:30.567248Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
n8n has SQL Injection in Snowflake and MySQL Nodes
Details

Impact

The fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database.

Exploitation requires a specific workflow configuration: - The Snowflake or MySQL v1 node must be used with user-controlled input passed via expressions (e.g., from a form or webhook) into identifier fields such as table name, column name, or update key.

Successful exploitation could allow data exfiltration, modification, or deletion on the downstream database.

Patches

The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Migrate workflows from the legacy MySQL v1 node to the MySQL v2 node, which already implements identifier escaping. - Disable the Snowflake node by adding n8n-nodes-base.snowflake to the NODES_EXCLUDE environment variable. - Avoid passing unvalidated external user input into table name, column name, or update key fields via expressions in the affected nodes.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Database specific 
{
    "github_reviewed_at": "2026-04-29T21:03:29Z",
    "nvd_published_at": "2026-05-04T19:16:06Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / n8n

Package

Name
n8n
View open source insights on deps.dev
Purl
pkg:npm/n8n

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.123.32

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hp3c-vfpm-q4f7/GHSA-hp3c-vfpm-q4f7.json"

npm / n8n

Package

Name
n8n
View open source insights on deps.dev
Purl
pkg:npm/n8n

Affected ranges

Type
SEMVER
Events
Introduced
2.18.0
Fixed
2.18.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hp3c-vfpm-q4f7/GHSA-hp3c-vfpm-q4f7.json"

npm / n8n

Package

Name
n8n
View open source insights on deps.dev
Purl
pkg:npm/n8n

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.17.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hp3c-vfpm-q4f7/GHSA-hp3c-vfpm-q4f7.json"