NIXPKGS-2026-1415

GitHub issue published on

Permalink CVE-2026-42237

updated 7 hours ago by @LeSuisse Activity log

Created suggestion 1 day, 12 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
8 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 7 hours ago

n8n: SQL Injection in Snowflake and MySQL Nodes

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7 x_refsource_CONFIRM

Affected products

n8n

==>= 2.18.0, < 2.18.1
==< 1.123.32
==>= 2.17.0, < 2.17.4

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.15.0
- nixpkgs-unstable 2.15.0
- nixos-unstable-small 2.15.0
nixos-25.11 1.123.27
- nixos-25.11-small 1.123.27
- nixpkgs-25.11-darwin 1.123.27