PT-2026-36906 · N8N · N8N
Ori-Ron
·
Published
2026-04-22
·
Updated
2026-05-13
·
CVE-2026-42236
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
n8n versions prior to 1.123.32
n8n versions prior to 2.17.4
n8n versions prior to 2.18.1
Description
The MCP OAuth client registration endpoint accepts unauthenticated requests and stores client data without adequate resource controls. A remote attacker can exhaust server memory resources by sending large registration payloads, leading to a denial of service that renders the instance unavailable. The endpoint remains reachable even if the MCP enable/disable toggle is used to gate access.
Recommendations
Update to version 1.123.32.
Update to version 2.17.4.
Update to version 2.18.1.
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
N8N