Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Impact
An unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation.
Patches
This issue has been fixed in n8n version 2.14.2. Users should upgrade to this version or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only.
- Disable MCP server functionality if it is not actively required.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.
Technical ContextAI
This vulnerability affects n8n, an open-source workflow automation platform distributed via npm. The root cause is CWE-87 (Improper Neutralization of Alternate XSS Syntax), a specific variant of stored XSS. The affected component is n8n's MCP (Model Context Protocol) OAuth client registration mechanism, where user-supplied input in the client_name field is stored without proper sanitization. The injected payload remains dormant until triggered by a specific user action-revocation of OAuth consent by a different user-which causes the application to render a toast notification containing the unsanitized client_name. The changed CVSS scope (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, as the XSS executes in the context of the n8n web application, potentially compromising workflows and credentials managed across the platform. Affected packages per CPE and GitHub advisory: npm/n8n versions prior to 1.123.32, versions 2.17.0 through 2.17.3, and versions 2.18.0 through 2.18.0.
RemediationAI
Upgrade to patched n8n versions immediately: version 1.123.32 or later for 1.x branch users, version 2.17.4 or later for 2.17.x branch users, or version 2.18.1 or later for 2.18.x branch users. Patches are vendor-released and independently confirmed via GitHub advisory GHSA-537j-gqpc-p7fq at https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq. For environments where immediate upgrading is not feasible, implement temporary mitigations with awareness of their limitations: restrict network access to the n8n instance and specifically the MCP OAuth registration endpoint using firewall rules or reverse proxy authentication (trade-off: reduces accessibility for legitimate remote users), or disable MCP server functionality entirely if not operationally required (trade-off: loss of MCP integration capabilities). These workarounds do not eliminate the underlying XSS vulnerability and should only serve as short-term risk reduction while planning upgrade deployment. Review existing registered MCP OAuth clients for suspicious client_name values and revoke any unrecognized entries. After patching, verify no malicious OAuth clients remain registered that could trigger the exploit in unpatched sessions.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27110
GHSA-537j-gqpc-p7fq