Oscarbataille

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 **Description** An unauthenticated attacker can register a malicious MCP OAuth client using a crafted `client name`. If a victim user authorizes the OAuth consent dialog and a second user later revokes that access, a toast notification renders the injected script. Clicking the link executes arbitrary JavaScript within the victim's authenticated browser session, which can lead to the theft of credentials and session tokens, manipulation of workflows, or privilege escalation. **Recommendations** Update to version 1.123.32. Update to version 2.17.4. Update to version 2.18.1.