CVE-2026-42233

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1

Description A flaw in the Oracle Database node's select operation allows user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field, such as from a webhook, an attacker could inject arbitrary SQL to exfiltrate data from the connected Oracle database.

Recommendations Update to version 1.123.32. Update to version 2.17.4. Update to version 2.18.1. As a temporary workaround, avoid passing external input into the Limit field of the Oracle Database node.

Fix

SQL injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-20

Related Identifiers

BDU:2026-06927

CVE-2026-42233

GHSA-R6JC-MPQW-M755

Affected Products

Oracle Database

N8N

CVE-2026-42233

Weakness Enumeration

Related Identifiers

Affected Products

References · 12