CVE-2026-42233: n8n has SQL Injection in Oracle Database Node via Limit Field

April 29, 2026 (updated May 8, 2026)

A flaw in the Oracle Database node’s select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database.

Exploitation requires a specific workflow configuration:

The Oracle Database node must be used with user-controlled input passed via expressions into the Limit field.
Authentication requirements depend on the workflow’s configuration (e.g., an unauthenticated webhook endpoint would allow unauthenticated exploitation).

References

Code Behaviors & Features

Detect and mitigate CVE-2026-42233 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →