CVE-2026-42236 Overview
CVE-2026-42236 is a resource exhaustion vulnerability in n8n, an open source workflow automation platform. The flaw exists in the Model Context Protocol (MCP) OAuth client registration endpoint, which accepts unauthenticated requests and stores client data without adequate resource controls. Unauthenticated remote attackers can exhaust server memory by submitting large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle does not restrict client registrations, so the endpoint remains reachable regardless of whether MCP access is enabled. The issue is tracked as [CWE-770] (Allocation of Resources Without Limits or Throttling) and affects n8n versions prior to 1.123.32, 2.17.4, and 2.18.1.
Critical Impact
An unauthenticated remote attacker can render any internet-reachable n8n instance unavailable by sending crafted OAuth client registration payloads, even when MCP functionality is disabled.
Affected Products
- n8n versions prior to 1.123.32
- n8n versions prior to 2.17.4
- n8n version 2.18.0 (Enterprise, Node.js)
Discovery Timeline
- 2026-05-04 - CVE-2026-42236 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42236
Vulnerability Analysis
The vulnerability resides in n8n's MCP OAuth client registration endpoint. OAuth Dynamic Client Registration (RFC 7591) allows clients to register with an authorization server by submitting metadata such as redirect URIs, client names, and scopes. n8n's implementation of this endpoint accepts the registration request without authentication and persists the submitted client data without enforcing payload size limits, rate limits, or storage quotas.
An attacker can repeatedly submit large registration payloads to consume server memory and backing storage. Because the endpoint accepts any payload size, a single attacker with network access can degrade or crash the n8n process. The endpoint remains exposed even when administrators disable MCP using the platform toggle, defeating the assumption that disabling MCP removes the attack surface.
The attack vector is network-based, requires no privileges, and requires no user interaction. Confidentiality and integrity are not affected, but availability impact is high.
Root Cause
The root cause is missing resource governance on the OAuth Dynamic Client Registration handler. The handler does not authenticate callers, does not bound payload size, does not throttle registration frequency, and does not check whether MCP is enabled before persisting records. The MCP feature toggle gates runtime MCP access but is not consulted by the registration code path.
Attack Vector
An unauthenticated attacker sends HTTP POST requests to the MCP OAuth client registration endpoint with oversized JSON payloads. Each request causes n8n to allocate memory and write client metadata to storage. Repeated requests exhaust available memory and force the process to terminate or become unresponsive. No authentication, no MCP enablement, and no user interaction are required. Refer to the n8n GitHub Security Advisory GHSA-49m9-pgww-9vq6 for vendor details.
Detection Methods for CVE-2026-42236
Indicators of Compromise
- Repeated HTTP POST requests to MCP OAuth client registration endpoints from a single source IP or small set of IPs.
- Anomalously large request bodies sent to OAuth registration paths exposed by n8n.
- Sudden growth in the n8n client registration data store with auto-generated or randomized client names.
- n8n process memory consumption climbing rapidly followed by out-of-memory termination or restart loops.
Detection Strategies
- Inspect web server, reverse proxy, and WAF logs for POST requests to MCP OAuth registration paths exceeding expected payload sizes.
- Correlate spikes in registration endpoint traffic with n8n container or host memory metrics to identify exhaustion attempts.
- Audit the n8n database for an unusual volume of OAuth client records created over short time windows.
Monitoring Recommendations
- Enable request size and rate metrics on any reverse proxy fronting n8n, alerting on outliers to OAuth endpoints.
- Monitor n8n container memory, restart counts, and 5xx error rates as availability signals.
- Forward n8n application logs and proxy access logs to a centralized SIEM for retention and correlation.
How to Mitigate CVE-2026-42236
Immediate Actions Required
- Upgrade n8n to version 1.123.32, 2.17.4, or 2.18.1 or later, depending on the deployed release line.
- Restrict network exposure of n8n instances to trusted networks or place them behind authenticated reverse proxies until patched.
- Review existing OAuth client registrations for unexpected entries and remove attacker-created records.
Patch Information
The vendor has released fixes in n8n 1.123.32, 2.17.4, and 2.18.1. The patches add resource controls to the MCP OAuth client registration endpoint. Refer to the n8n GitHub Security Advisory GHSA-49m9-pgww-9vq6 for full remediation guidance and release notes.
Workarounds
- Block external access to MCP OAuth client registration paths at the reverse proxy or WAF until upgrade is possible.
- Apply request size limits and rate limits on the upstream proxy for n8n HTTP endpoints.
- Place n8n behind network controls that require authentication or VPN access for any administrative or OAuth endpoint.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
