PT-2026-36905 · N8N · N8N

Oscarbataille

Published

2026-04-22

Updated

2026-05-13

CVE-2026-42235

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1

Description An unauthenticated attacker can register a malicious MCP OAuth client using a crafted client name. If a victim user authorizes the OAuth consent dialog and a second user later revokes that access, a toast notification renders the injected script. Clicking the link executes arbitrary JavaScript within the victim's authenticated browser session, which can lead to the theft of credentials and session tokens, manipulation of workflows, or privilege escalation.

Recommendations Update to version 1.123.32. Update to version 2.17.4. Update to version 2.18.1.

Fix

LPE

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-87

Related Identifiers

BDU:2026-06872

CVE-2026-42235

GHSA-537J-GQPC-P7FQ

Affected Products

N8N

PT-2026-36905 · N8N · N8N

CVE-2026-42235

Weakness Enumeration

Related Identifiers

Affected Products

References · 12