Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Published: 2026-05-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious OAuth client can be registered without authentication, and if a user authorizes this client the system renders an arbitrary JavaScript payload in a toast notification. When a second user revokes the client, clicking the notification executes the script in the victim’s authenticated browser session, allowing the attacker to steal credentials, hijack sessions, manipulate workflow definitions, or elevate privileges. The flaw is a classic cross‑site scripting vulnerability.

Affected Systems

This issue affects n8n-io’s n8n product versions prior to 1.123.32, 2.17.4, and 2.18.1.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability presents a high severity. Because an unauthenticated user can register a client and a legitimate user must authorize it, the attack requires social engineering of the consent dialog or an insider revocation event. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, but the high CVSS and the potential for arbitrary code execution warrant urgent consideration.

Generated by OpenCVE AI on May 4, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 1.123.32, 2.17.4, or 2.18.1 release that contains the MCP OAuth client fix.
  • Restrict OAuth client creation to trusted administrators or disable the feature in production environments.
  • Review and revoke any existing OAuth clients that appear unfamiliar or were not explicitly authorized by a legitimate user.

Generated by OpenCVE AI on May 4, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Title n8n: XSS via MCP OAuth client
Weaknesses CWE-79
CWE-87
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T18:38:09.488Z

Reserved: 2026-04-25T05:37:12.117Z

Link: CVE-2026-42235

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:06.173

Modified: 2026-05-04T19:16:06.173

Link: CVE-2026-42235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses