VYPR
Medium severity6.1GHSA Advisory· Published May 4, 2026· Updated May 6, 2026

CVE-2026-42230

CVE-2026-42230

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks "Deny" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
n8nnpm
< 1.123.321.123.32
n8nnpm
>= 2.18.0, < 2.18.12.18.1
n8nnpm
>= 2.0.0, < 2.17.42.17.4

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

1