CVE-2026-42229: n8n SQL injection

Q: Is CVE-2026-42229 actively exploited?

No confirmed active exploitation of CVE-2026-42229 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42229?

1. Upgrade n8n to 1.123.32 (v1 branch), 2.17.4, or 2.18.1 (v2 branch) — these versions introduce parameterized query handling in the SeaTable node. 2. Audit all active workflows containing SeaTable row:search or row:get nodes; identify those receiving external input via webhook triggers, form nodes, or API calls. 3. For workflows that cannot be patched immediately, add input sanitization steps (n8n Code nodes) to strip or reject SQL metacharacters before SeaTable nodes. 4. Restrict webhook endpoint access to trusted IP ranges or authenticated callers where operationally feasible. 5. Review SeaTable audit logs for anomalous row access patterns — queries returning unexpectedly large result sets or requests outside normal business hours — as indicators of prior exploitation.

Q: What systems are affected by CVE-2026-42229?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, data integration pipelines.

Q: What is the CVSS score for CVE-2026-42229?

No CVSS score has been assigned yet.

CISO Take

n8n's SeaTable integration node concatenates external user input directly into SQL queries without sanitization, allowing attackers to bypass row-level access controls and retrieve unauthorized records from connected SeaTable databases. This is particularly impactful in AI agent pipelines where n8n orchestrates workflows that process webhooks, form submissions, or API inputs and route them to SeaTable operations — a deployment pattern common in customer-facing and internal automation. While no public exploit exists and this CVE is not in CISA KEV, the EPSS score places it in the 85th percentile for exploitation likelihood relative to the broader CVE universe, and n8n's package carries 75 prior CVEs and a package risk score of 69/100, signaling systemic input-handling weaknesses that give this class of finding added credibility. Teams should upgrade to n8n 1.123.32 (v1 branch), 2.17.4, or 2.18.1 (v2 branch) and audit all workflows where untrusted external input reaches SeaTable node parameters.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

Moderate risk. SQL injection is a well-understood, reliably exploitable vulnerability class requiring no specialized AI or ML knowledge — it falls squarely in the trivial-to-moderate exploitation range once an attacker identifies a reachable workflow. Exploitation is conditional on the workflow being configured to pipe external user input into SeaTable row:search or row:get nodes, which is a realistic but not universal deployment pattern. The package's history (75 CVEs, OpenSSF Scorecard 6/10, package risk score 69/100) indicates persistent code quality concerns that increase the plausibility of this finding. The absence of active exploitation evidence and public PoC reduces immediate urgency, but the EPSS 85th percentile placement warrants prompt patching rather than deferral.

How does the attack unfold?

Initial Access

Attacker identifies a public-facing n8n workflow webhook or API trigger that accepts external user input and routes it to a SeaTable row:search or row:get node.

AML.T0049

Payload Injection

Attacker embeds SQL metacharacters or conditional fragments into the input parameter (search term, row ID) submitted to the n8n workflow trigger.

AML.T0053

Query Manipulation

The SeaTable node concatenates the unsanitized payload directly into a raw SQL query string, causing the database to execute the adversary-modified query and return unscoped rows.

Unauthorized Data Exfiltration

The manipulated query returns records outside the intended access boundary — other users' data, full table contents, or filtered-out sensitive rows — delivered back to the attacker via the workflow response.

AML.T0085.001

Initial Access

Attacker identifies a public-facing n8n workflow webhook or API trigger that accepts external user input and routes it to a SeaTable row:search or row:get node.

AML.T0049

Payload Injection

Attacker embeds SQL metacharacters or conditional fragments into the input parameter (search term, row ID) submitted to the n8n workflow trigger.

AML.T0053

Query Manipulation

The SeaTable node concatenates the unsanitized payload directly into a raw SQL query string, causing the database to execute the adversary-modified query and return unscoped rows.

Unauthorized Data Exfiltration

The manipulated query returns records outside the intended access boundary — other users' data, full table contents, or filtered-out sensitive rows — delivered back to the attacker via the workflow response.

AML.T0085.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.32	`1.123.32`
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.3%

chance of exploitation in 30 days

Higher than 26% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade n8n to 1.123.32 (v1 branch), 2.17.4, or 2.18.1 (v2 branch) — these versions introduce parameterized query handling in the SeaTable node.
Audit all active workflows containing SeaTable row:search or row:get nodes; identify those receiving external input via webhook triggers, form nodes, or API calls.
For workflows that cannot be patched immediately, add input sanitization steps (n8n Code nodes) to strip or reject SQL metacharacters before SeaTable nodes.
Restrict webhook endpoint access to trusted IP ranges or authenticated callers where operationally feasible.
Review SeaTable audit logs for anomalous row access patterns — queries returning unexpectedly large result sets or requests outside normal business hours — as indicators of prior exploitation.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0085.001 - AI Agent Tools

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system design and development

NIST AI RMF

MS-2.5 - Risks from third-party components are managed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-42229?

n8n's SeaTable integration node concatenates external user input directly into SQL queries without sanitization, allowing attackers to bypass row-level access controls and retrieve unauthorized records from connected SeaTable databases. This is particularly impactful in AI agent pipelines where n8n orchestrates workflows that process webhooks, form submissions, or API inputs and route them to SeaTable operations — a deployment pattern common in customer-facing and internal automation. While no public exploit exists and this CVE is not in CISA KEV, the EPSS score places it in the 85th percentile for exploitation likelihood relative to the broader CVE universe, and n8n's package carries 75 prior CVEs and a package risk score of 69/100, signaling systemic input-handling weaknesses that give this class of finding added credibility. Teams should upgrade to n8n 1.123.32 (v1 branch), 2.17.4, or 2.18.1 (v2 branch) and audit all workflows where untrusted external input reaches SeaTable node parameters.

Is CVE-2026-42229 actively exploited?

No confirmed active exploitation of CVE-2026-42229 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42229?

1. Upgrade n8n to 1.123.32 (v1 branch), 2.17.4, or 2.18.1 (v2 branch) — these versions introduce parameterized query handling in the SeaTable node. 2. Audit all active workflows containing SeaTable row:search or row:get nodes; identify those receiving external input via webhook triggers, form nodes, or API calls. 3. For workflows that cannot be patched immediately, add input sanitization steps (n8n Code nodes) to strip or reject SQL metacharacters before SeaTable nodes. 4. Restrict webhook endpoint access to trusted IP ranges or authenticated callers where operationally feasible. 5. Review SeaTable audit logs for anomalous row access patterns — queries returning unexpectedly large result sets or requests outside normal business hours — as indicators of prior exploitation.

What systems are affected by CVE-2026-42229?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, data integration pipelines.

What is the CVSS score for CVE-2026-42229?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation pipelinesdata integration pipelines

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0085.001 AI Agent Tools

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploitation Scenario

An attacker identifies a customer-facing n8n workflow that accepts order lookup requests via a public webhook — a common pattern for support portals or self-service dashboards. The workflow passes the user-supplied order reference directly into a SeaTable row:search node to retrieve matching order records. By injecting SQL fragments into the reference parameter (e.g., appending ' OR 1=1 -- to the input), the attacker manipulates the constructed query to return all rows in the SeaTable base rather than a scoped result set. This exposes other customers' PII, order history, or sensitive business data without any authentication requirement, and without triggering workflow-level access controls that were never applied to the underlying query.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.