Skip to main content

n8n EUVDEUVD-2026-27100

| CVE-2026-42230 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-04-29 https://github.com/n8n-io/n8n GHSA-f6x8-65q6-j9m9
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Patch available
May 04, 2026 - 20:01 EUVD
CVSS changed
May 04, 2026 - 19:22 NVD
4.7 (MEDIUM) 5.1 (MEDIUM)
Source Code Evidence Fetched
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 21:30 vuln.today
CVE Published
Apr 29, 2026 - 21:10 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Impact

The /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks "Deny" on the consent page, they are silently redirected to an external site.

Patches

The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict network access to the n8n instance to prevent untrusted users from reaching the MCP OAuth endpoints.
  • Limit access to the n8n instance to fully trusted users only.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Open redirect vulnerability in n8n's MCP OAuth consent flow allows unauthenticated attackers to register arbitrary redirect URIs and silently redirect users to attacker-controlled URLs when they deny OAuth consent. The /mcp-oauth/register endpoint lacks authentication and the handleDeny handler does not validate redirect destinations, enabling phishing attacks via crafted links. CVSS 4.7 (network-accessible, requires user interaction). Patches available: versions 1.123.32, 2.17.4, and 2.18.1 or later.

Technical ContextAI

The vulnerability resides in n8n's OAuth implementation for Model Context Protocol (MCP) integrations. The /mcp-oauth/register endpoint accepts OAuth client registration requests without authentication, permitting attackers to register arbitrary redirect_uri values (CWE-601: URL Redirection to Untrusted Site / Open Redirect). When a user denies the OAuth consent dialog, the handleDeny handler retrieves and redirects to the registered redirect_uri without validating that it points to a legitimate, trusted destination. This flaw exists in the npm package n8n across multiple versions: all releases before 1.123.32, versions 2.0.0 through 2.17.3, and versions 2.18.0. The vulnerability requires user interaction (UI:R in CVSS vector) - the victim must click 'Deny' on the consent page - but achieves cross-site scope (S:C), meaning an attacker-controlled external URL can be accessed in the victim's browser context.

RemediationAI

Upgrade n8n immediately to one of the patched versions: 1.123.32 (if on 1.x branch), 2.17.4 (if on 2.0-2.17), or 2.18.1 or later (if on 2.18+). The patch implements input validation in the /mcp-oauth/register endpoint and validates redirect URIs in the handleDeny handler against a whitelist of trusted destinations. If immediate patching is not feasible, restrict network access to n8n to prevent untrusted users from reaching the MCP OAuth endpoints - this can be achieved via firewall rules, IP whitelisting, or deploying n8n behind a reverse proxy with access control. Additionally, limit n8n instance access to fully trusted users only and disable MCP OAuth integration if not in use. These workarounds do not fully remediate the vulnerability and should be temporary measures only. Monitor n8n instance logs for suspicious /mcp-oauth/register requests or unusual redirect patterns in the consent flow.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-27100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy