AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-hp3c-vfpm-q4f7: n8n has SQL Injection in Snowflake and MySQL Nodes

mediumvulnerability

security

Source: GitHub Advisory DatabaseApril 29, 2026CVE-2026-42237

Summary

n8n's Snowflake and MySQL v1 nodes have a SQL injection vulnerability (a type of attack where malicious SQL code is inserted into input fields) because they directly insert user-controlled table and column names into database queries without proper protection. An attacker who can create workflows could use this to steal, change, or delete data in the connected database.

Solution / Mitigation

The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. If immediate upgrade is not possible, temporary workarounds include: limit workflow creation and editing permissions to trusted users only; migrate from the legacy MySQL v1 node to MySQL v2 node, which has identifier escaping (protection against SQL injection); disable the Snowflake node by adding 'n8n-nodes-base.snowflake' to the 'NODES_EXCLUDE' environment variable; and avoid passing unvalidated external user input into table name, column name, or update key fields in the affected nodes. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 29, 2026

Classification

Attack SophisticationModerate

Affected Packages

n8n@>= 2.0.0, < 2.17.4 (fixed: 2.17.4)n8n@>= 2.18.0, < 2.18.1 (fixed: 2.18.1)n8n@< 1.123.32 (fixed: 1.123.32)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-hp3c-vfpm-q4f7

First tracked: April 29, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%