n8n Oracle Database Node SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Oracle Database node of n8n, an open-source workflow automation platform. This issue affects versions prior to 1.123.32, 2.17.4, and 2.18.1. The vulnerability arises because user-controlled input in the Limit field, when passed through expressions, is directly interpolated into the SQL query without proper sanitization or parameterization. As a result, in workflows that include external input to the Limit field—such as from a webhook—an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, enabling attackers to manipulate SQL queries and potentially exfiltrate sensitive data from the Oracle database.

Remediation

Users can upgrade to n8n versions 1.123.32, 2.17.4, or 2.18.1 to address this vulnerability. If an immediate upgrade is not possible, administrators should limit workflow creation and editing permissions to trusted users, disable the Oracle Database node by excluding it in the NODES_EXCLUDE environment variable, and avoid using unvalidated external input in the Oracle Database node's Limit field.