Skip to main content

n8n CVE-2026-42235

| EUVD-2026-27110 HIGH
Improper Neutralization of Alternate XSS Syntax (CWE-87)
2026-04-29 https://github.com/n8n-io/n8n GHSA-537j-gqpc-p7fq
Privilege Escalation
8.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Patch available
May 04, 2026 - 20:01 EUVD
Re-analysis Queued
May 04, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
May 04, 2026 - 19:22 NVD
8.2 (HIGH) 8.8 (HIGH)
Source Code Evidence Fetched
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 21:30 vuln.today
CVE Published
Apr 29, 2026 - 21:23 nvd
HIGH 8.2

DescriptionNVD

Impact

An unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation.

Patches

This issue has been fixed in n8n version 2.14.2. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only.
  • Disable MCP server functionality if it is not actively required.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: audit n8n OAuth client registrations for suspicious client_name values and disable OAuth client registration if not actively required. Within 7 days: implement WAF rules to sanitize the client_name parameter during OAuth registration endpoints, conduct session audit for token anomalies, and contact n8n support for patch availability timeline. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42235 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy