CVE-2026-42237
n8n has SQL Injection in Snowflake and MySQL Nodes
Description
## Impact The fix for [GHSA-f3f2-mcxc-pwjx](https://github.com/advisories/GHSA-f3f2-mcxc-pwjx) did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. Exploitation requires a specific workflow configuration: - The Snowflake or MySQL v1 node must be used with user-controlled input passed via expressions (e.g., from a form or webhook) into identifier fields such as table name, column name, or update key. Successful exploitation could allow data exfiltration, modification, or deletion on the downstream database. ## Patches The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Migrate workflows from the legacy MySQL v1 node to the MySQL v2 node, which already implements identifier escaping. - Disable the Snowflake node by adding `n8n-nodes-base.snowflake` to the `NODES_EXCLUDE` environment variable. - Avoid passing unvalidated external user input into table name, column name, or update key fields via expressions in the affected nodes. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
How to fix CVE-2026-42237
To remediate CVE-2026-42237, upgrade the affected package to a fixed version below.
- —upgrade to 1.123.32 or later
Is CVE-2026-42237 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.123.32