CVE-2026-42230: n8n MCP OAuth open redirect

Q: Is CVE-2026-42230 actively exploited?

No confirmed active exploitation of CVE-2026-42230 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42230?

1. Patch immediately: upgrade to n8n 1.123.32 (v1 branch) or 2.17.4/2.18.1 (v2 branch). 2. If patching is delayed, block unauthenticated external access to /mcp-oauth/register at the WAF or network perimeter. 3. Audit all registered OAuth clients in your n8n instance for unexpected external redirect_uri values and purge any not explicitly authorized. 4. Review server logs for unauthenticated POST requests to /mcp-oauth/register, especially from external IPs. 5. Alert users not to enter credentials on any page reached following an n8n consent interaction until the patch is confirmed deployed.

Q: What systems are affected by CVE-2026-42230?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, Workflow automation with LLM integrations, MCP (Model Context Protocol) deployments, Multi-tool AI agent pipelines.

Q: What is the CVSS score for CVE-2026-42230?

No CVSS score has been assigned yet.

CISO Take

n8n's MCP OAuth registration endpoint (/mcp-oauth/register) accepts arbitrary redirect URIs without any authentication, allowing an attacker to pre-register a malicious destination before any user interaction occurs. The attack exploits user intuition: a victim who clicks a crafted link and then chooses 'Deny' on the consent dialog — the expected safe action — is silently forwarded to an attacker-controlled phishing site. With 75 prior CVEs in this package, an EPSS score placing this in the top 86th percentile for exploitation likelihood, and n8n's broad deployment as an AI agent orchestration platform handling sensitive LLM API credentials, the blast radius extends well beyond a simple redirect. Organizations running n8n should patch to 1.123.32 (v1) or 2.17.4/2.18.1 (v2) immediately and audit existing OAuth registrations for unexpected external redirect URIs.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium risk. The vulnerability is trivially exploitable — no authentication or technical skill required to register a malicious OAuth client via the open endpoint. While the direct impact is limited to an open redirect with no code execution or direct data exfiltration, the operational context is high-value: n8n workflows commonly orchestrate AI agent pipelines with embedded credentials for LLM APIs, vector databases, and cloud services. The attack is particularly dangerous against technical users managing AI infrastructure, since denying a suspicious consent dialog is the intuitive secure response yet still triggers the redirect. EPSS 86th percentile and 75 historical CVEs in the same package signal a persistently vulnerable codebase requiring active monitoring.

How does the attack unfold?

Endpoint Abuse

Attacker sends unauthenticated POST to /mcp-oauth/register to register a malicious OAuth client with an attacker-controlled redirect_uri.

AML.T0049

Phishing Link Delivery

Attacker crafts an OAuth authorization URL targeting the victim's n8n instance and delivers it via email or social engineering.

AML.T0011.003

Consent Interaction

Victim clicks the link, reviews the n8n MCP OAuth consent dialog, and clicks 'Deny' — the intuitively safe action — triggering handleDeny.

Redirect & Credential Harvest

Victim is silently redirected to the attacker's phishing site, enabling theft of AI service credentials used in n8n workflow integrations.

AML.T0052

Endpoint Abuse

Attacker sends unauthenticated POST to /mcp-oauth/register to register a malicious OAuth client with an attacker-controlled redirect_uri.

AML.T0049

Phishing Link Delivery

Attacker crafts an OAuth authorization URL targeting the victim's n8n instance and delivers it via email or social engineering.

AML.T0011.003

Consent Interaction

Victim clicks the link, reviews the n8n MCP OAuth consent dialog, and clicks 'Deny' — the intuitively safe action — triggering handleDeny.

Redirect & Credential Harvest

Victim is silently redirected to the attacker's phishing site, enabling theft of AI service credentials used in n8n workflow integrations.

AML.T0052

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.32	`1.123.32`
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch immediately: upgrade to n8n 1.123.32 (v1 branch) or 2.17.4/2.18.1 (v2 branch).
If patching is delayed, block unauthenticated external access to /mcp-oauth/register at the WAF or network perimeter.
Audit all registered OAuth clients in your n8n instance for unexpected external redirect_uri values and purge any not explicitly authorized.
Review server logs for unauthenticated POST requests to /mcp-oauth/register, especially from external IPs.
Alert users not to enter credentials on any page reached following an n8n consent interaction until the patch is confirmed deployed.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Social Engineering Auth Bypass Agent API AML.T0011.003 - Malicious Link AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.2 - AI system access control

NIST AI RMF

MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42230?

n8n's MCP OAuth registration endpoint (/mcp-oauth/register) accepts arbitrary redirect URIs without any authentication, allowing an attacker to pre-register a malicious destination before any user interaction occurs. The attack exploits user intuition: a victim who clicks a crafted link and then chooses 'Deny' on the consent dialog — the expected safe action — is silently forwarded to an attacker-controlled phishing site. With 75 prior CVEs in this package, an EPSS score placing this in the top 86th percentile for exploitation likelihood, and n8n's broad deployment as an AI agent orchestration platform handling sensitive LLM API credentials, the blast radius extends well beyond a simple redirect. Organizations running n8n should patch to 1.123.32 (v1) or 2.17.4/2.18.1 (v2) immediately and audit existing OAuth registrations for unexpected external redirect URIs.

Is CVE-2026-42230 actively exploited?

No confirmed active exploitation of CVE-2026-42230 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42230?

1. Patch immediately: upgrade to n8n 1.123.32 (v1 branch) or 2.17.4/2.18.1 (v2 branch). 2. If patching is delayed, block unauthenticated external access to /mcp-oauth/register at the WAF or network perimeter. 3. Audit all registered OAuth clients in your n8n instance for unexpected external redirect_uri values and purge any not explicitly authorized. 4. Review server logs for unauthenticated POST requests to /mcp-oauth/register, especially from external IPs. 5. Alert users not to enter credentials on any page reached following an n8n consent interaction until the patch is confirmed deployed.

What systems are affected by CVE-2026-42230?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, Workflow automation with LLM integrations, MCP (Model Context Protocol) deployments, Multi-tool AI agent pipelines.

What is the CVSS score for CVE-2026-42230?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsWorkflow automation with LLM integrationsMCP (Model Context Protocol) deploymentsMulti-tool AI agent pipelines

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0048.003 User Harm

AML.T0049 Exploit Public-Facing Application

AML.T0052 Phishing

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks "Deny" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploitation Scenario

An attacker identifies an internet-exposed n8n instance and sends an unauthenticated POST to /mcp-oauth/register with redirect_uri pointing to a phishing site mimicking an AI service login page (e.g., a fake OpenAI API key portal). The attacker then crafts an OAuth initiation URL and delivers it to a DevOps engineer or data scientist via a phishing email framed as a legitimate n8n integration request. The victim opens the link, sees a familiar n8n consent dialog, and clicks 'Deny' — the expected safe action. The handleDeny handler silently redirects the victim to the attacker's phishing site. The victim, having just rejected an authorization, is psychologically off-guard and far more likely to enter their AI service credentials on what appears to be a routine login page, giving the attacker direct access to LLM APIs and connected AI infrastructure.

Weaknesses (CWE)

CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Primary CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Primary

CWE-601 — URL Redirection to Untrusted Site ('Open Redirect'): The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Source: MITRE CWE corpus.