Skip to content

🚨 SECURITY: n8n:1.42.1 contains critical SQL injection (CVE-2026-59257) #217

Description

@muhamedfazalps

⚠️ Security Alert: Critical SQL Injection in n8n

Affected Package

  • Package: n8n (n8nio/n8n)
  • Vulnerable Version: 1.42.1 (your current version)
  • Fixed Version: 1.123.61
  • CVE: CVE-2026-59257
  • Severity: HIGH (CVSS 8.8)

Vulnerability Description

n8n contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated expression values directly into the raw SQL string without parameterization.

Current Configuration

Your docker-compose.yml uses image: n8nio/n8n:1.42.1 which is vulnerable.

Recommended Fix

Update to the patched version:

image: n8nio/n8n:1.123.61

Note

Version 1.42.1 is significantly outdated. Consider updating to the latest stable version for all security patches.


If you need help implementing the fix, consider supporting this security research: Buy Me a Coffee

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions