CVE-2026-42229HIGH 8.8EPSS p24.6%

CVE-2026-42229CVE-2026-42229

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.6% · 2026-06-19T12:03:05Z
Published2026-05-04
Last modified2026-05-06

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42237
CVE
CVE-2026-33713
CVE
CVE-2026-42233
CVE
CVE-2026-27497
CVE
CVE-2026-42234
CVE
CVE-2026-25049
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.