CVE-2026-42235 Overview
CVE-2026-42235 is a stored cross-site scripting (XSS) vulnerability in n8n, an open source workflow automation platform. An unauthenticated attacker can register a malicious Model Context Protocol (MCP) OAuth client with a crafted client_name. When a victim authorizes the OAuth consent dialog and a second user later revokes that access, a toast notification renders the injected script. Clicking the link executes arbitrary JavaScript in the victim's authenticated n8n session. The flaw is tracked under [CWE-79] and was patched in versions 1.123.32, 2.17.4, and 2.18.1.
Critical Impact
Successful exploitation enables credential and session token theft, workflow manipulation, and privilege escalation within the n8n application.
Affected Products
- n8n Enterprise versions prior to 1.123.32
- n8n Enterprise versions prior to 2.17.4
- n8n Enterprise version 2.18.0 (fixed in 2.18.1)
Discovery Timeline
- 2026-05-04 - CVE-2026-42235 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42235
Vulnerability Analysis
The vulnerability resides in the OAuth client registration flow used by n8n's MCP integration. The client_name field accepted during unauthenticated client registration is not sanitized before being rendered in downstream user interface components. Specifically, when an administrator revokes a previously authorized OAuth client, the application surfaces a toast notification containing the attacker-controlled client_name. The notification renders the value without proper output encoding, allowing embedded HTML and JavaScript payloads to execute in the browser context of the authenticated user.
Because the payload executes inside an active n8n session, an attacker can read session tokens, exfiltrate stored credentials used by workflows, modify or create automation workflows, and escalate privileges if the affected user is an administrator. The attack chain requires user interaction, but the trigger occurs during a routine administrative cleanup task.
Root Cause
The root cause is improper neutralization of user-supplied input during web page generation, classified under [CWE-79]. The OAuth dynamic client registration endpoint accepts unauthenticated input and persists the client_name field. The frontend toast component renders that string as HTML rather than as an inert text node, breaking the trust boundary between unauthenticated input and authenticated user output.
Attack Vector
The attack is network-based and requires no prior authentication to plant the payload. An attacker registers an OAuth client whose client_name contains an HTML anchor tag with a JavaScript handler. A user with consent rights authorizes the client. When a second user revokes the authorization, the malicious link appears inside a toast notification. Activating the link executes the script in the victim's n8n origin, granting the attacker access to the victim's session.
No public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-537j-gqpc-p7fq for vendor-confirmed technical details.
Detection Methods for CVE-2026-42235
Indicators of Compromise
- OAuth client registrations where client_name contains HTML tags, javascript: URIs, or event handler attributes such as onerror or onclick.
- Unexpected outbound requests from authenticated user browsers shortly after OAuth consent or revocation actions.
- New or modified n8n workflows, credentials, or API keys created without a corresponding administrator action.
Detection Strategies
- Inspect the n8n database table storing OAuth clients and alert on client_name values containing <, >, ", or scheme prefixes like javascript:.
- Review reverse proxy and application logs for POST requests to the MCP OAuth dynamic registration endpoint originating from unauthenticated sources.
- Correlate session token reuse from unusual IP addresses with prior OAuth consent or revocation events in the n8n audit log.
Monitoring Recommendations
- Forward n8n application and audit logs to a centralized SIEM and alert on OAuth client lifecycle events.
- Monitor for browser-based anomalies such as unexpected fetches to /rest/credentials or /rest/workflows immediately after admin UI actions.
- Track administrative account activity for unauthorized workflow changes or credential exports.
How to Mitigate CVE-2026-42235
Immediate Actions Required
- Upgrade n8n to version 1.123.32, 2.17.4, or 2.18.1 or later as appropriate for your release branch.
- Audit the OAuth client registry and delete any clients with suspicious client_name values.
- Rotate session secrets, API keys, and credentials stored in workflows if exploitation is suspected.
Patch Information
The maintainers fixed the vulnerability in n8n versions 1.123.32, 2.17.4, and 2.18.1 by sanitizing the client_name field before rendering it in toast notifications. Patch metadata and remediation guidance are available in the GitHub Security Advisory GHSA-537j-gqpc-p7fq.
Workarounds
- Restrict network access to the MCP OAuth dynamic client registration endpoint until the upgrade is applied.
- Disable the MCP OAuth integration if it is not in active use.
- Instruct administrators to avoid clicking links in OAuth-related toast notifications until the patch is deployed.
# Upgrade n8n via npm to a fixed release
npm install -g n8n@2.18.1
# Or pull the patched Docker image
docker pull n8nio/n8n:2.18.1
docker stop n8n && docker rm n8n
docker run -d --name n8n -p 5678:5678 n8nio/n8n:2.18.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
