Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Impact
The /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks "Deny" on the consent page, they are silently redirected to an external site.
Patches
The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Restrict network access to the n8n instance to prevent untrusted users from reaching the MCP OAuth endpoints.
- Limit access to the n8n instance to fully trusted users only.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Open redirect vulnerability in n8n's MCP OAuth consent flow allows unauthenticated attackers to register arbitrary redirect URIs and silently redirect users to attacker-controlled URLs when they deny OAuth consent. The /mcp-oauth/register endpoint lacks authentication and the handleDeny handler does not validate redirect destinations, enabling phishing attacks via crafted links. CVSS 4.7 (network-accessible, requires user interaction). Patches available: versions 1.123.32, 2.17.4, and 2.18.1 or later.
Technical ContextAI
The vulnerability resides in n8n's OAuth implementation for Model Context Protocol (MCP) integrations. The /mcp-oauth/register endpoint accepts OAuth client registration requests without authentication, permitting attackers to register arbitrary redirect_uri values (CWE-601: URL Redirection to Untrusted Site / Open Redirect). When a user denies the OAuth consent dialog, the handleDeny handler retrieves and redirects to the registered redirect_uri without validating that it points to a legitimate, trusted destination. This flaw exists in the npm package n8n across multiple versions: all releases before 1.123.32, versions 2.0.0 through 2.17.3, and versions 2.18.0. The vulnerability requires user interaction (UI:R in CVSS vector) - the victim must click 'Deny' on the consent page - but achieves cross-site scope (S:C), meaning an attacker-controlled external URL can be accessed in the victim's browser context.
RemediationAI
Upgrade n8n immediately to one of the patched versions: 1.123.32 (if on 1.x branch), 2.17.4 (if on 2.0-2.17), or 2.18.1 or later (if on 2.18+). The patch implements input validation in the /mcp-oauth/register endpoint and validates redirect URIs in the handleDeny handler against a whitelist of trusted destinations. If immediate patching is not feasible, restrict network access to n8n to prevent untrusted users from reaching the MCP OAuth endpoints - this can be achieved via firewall rules, IP whitelisting, or deploying n8n behind a reverse proxy with access control. Additionally, limit n8n instance access to fully trusted users only and disable MCP OAuth integration if not in use. These workarounds do not fully remediate the vulnerability and should be temporary measures only. Monitor n8n instance logs for suspicious /mcp-oauth/register requests or unusual redirect patterns in the consent flow.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27100
GHSA-f6x8-65q6-j9m9