AI Threat Alert

CVE-2026-42235: n8n: stored XSS via MCP OAuth steals agent sessions

GHSA-537j-gqpc-p7fq UNKNOWN
Published April 29, 2026
CISO Take

An unauthenticated attacker can register a malicious MCP OAuth client in n8n with a crafted client_name containing an XSS payload; when a user authorizes that client and a second user subsequently revokes access, a toast notification renders the unescaped script, and clicking it executes arbitrary JavaScript in the victim's authenticated session. For organizations using n8n as their AI workflow orchestration backbone — connecting LLMs, databases, CRMs, and enterprise APIs — session hijacking translates directly to complete workflow takeover and mass credential exfiltration from every connected integration. While EPSS is low at 0.00073, the 78th-percentile ranking and n8n's history of 75 prior CVEs signal an elevated exploitation risk for a package sitting at a privileged position in AI agent pipelines. Patch immediately to n8n 1.123.32, 2.17.4, or 2.18.1; if immediate patching is not feasible, restrict MCP OAuth client registration to trusted principals and audit existing client registrations for suspicious client_name values.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

MEDIUM-HIGH. The attack chain requires zero authentication and only moderate user interaction — a second user revoking access plus the victim clicking a rendered toast. The exploitability ceiling is inherently low-friction: the registration endpoint is public-facing, the payload delivery is passive, and execution depends on normal administrative workflows. The impact ceiling is severe: n8n instances routinely hold credentials for dozens of enterprise and AI integrations. The 75-CVE history of this package suggests persistent code quality issues that increase confidence in exploitability. No public exploit or active exploitation is confirmed, keeping immediate risk at medium, but the novelty of the MCP OAuth attack vector warrants prompt action.

How does the attack unfold?

Malicious Registration
Unauthenticated attacker registers a malicious MCP OAuth client via the public registration endpoint, embedding an XSS payload in the client_name field.
AML.T0021
Authorization & Revocation Trigger
A legitimate user authorizes the malicious OAuth client via the consent dialog; a second user (e.g., admin) subsequently revokes that access, triggering a toast notification containing the unescaped payload.
AML.T0049
XSS Execution
Victim clicks the toast notification link, executing arbitrary JavaScript in their authenticated n8n browser session and silently exfiltrating the session token to the attacker.
AML.T0011.003
Session Hijack & Credential Harvest
Attacker uses the stolen session token to access all n8n workflows, extract credentials for connected AI services and enterprise integrations, and plant persistence mechanisms.
AML.T0091.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.32 1.123.32
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.3%
chance of exploitation in 30 days
Higher than 25% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

6 steps

  1. Patch immediately: upgrade to n8n 1.123.32 (v1 branch), 2.17.4, or 2.18.1 — all three branches are patched.

  2. If patching is not immediately possible, block unauthenticated access to the MCP OAuth client registration endpoint at the network or reverse-proxy layer.

  3. Audit n8n logs for OAuth client registrations containing HTML or script tags in client_name fields — these are indicators of exploitation attempts.

  4. Rotate all credentials stored in n8n workflows (API keys, OAuth tokens, service accounts) if the instance was internet-accessible prior to patching.

  5. Review workflow execution logs for anomalous or unauthorized runs that may indicate post-exploitation abuse.

  6. Enumerate all MCP OAuth clients currently registered and revoke any unrecognized entries.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Auth Bypass Agent Plugin Framework AML.T0011.003 AML.T0021 AML.T0049 AML.T0053 AML.T0081 AML.T0083 AML.T0091.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system security
NIST AI RMF
GOVERN 1.2 - Accountability for AI risk MANAGE 2.2 - Mechanisms for AI risk treatment
OWASP LLM Top 10
LLM05 - Improper Output Handling LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42235?

An unauthenticated attacker can register a malicious MCP OAuth client in n8n with a crafted client_name containing an XSS payload; when a user authorizes that client and a second user subsequently revokes access, a toast notification renders the unescaped script, and clicking it executes arbitrary JavaScript in the victim's authenticated session. For organizations using n8n as their AI workflow orchestration backbone — connecting LLMs, databases, CRMs, and enterprise APIs — session hijacking translates directly to complete workflow takeover and mass credential exfiltration from every connected integration. While EPSS is low at 0.00073, the 78th-percentile ranking and n8n's history of 75 prior CVEs signal an elevated exploitation risk for a package sitting at a privileged position in AI agent pipelines. Patch immediately to n8n 1.123.32, 2.17.4, or 2.18.1; if immediate patching is not feasible, restrict MCP OAuth client registration to trusted principals and audit existing client registrations for suspicious client_name values.

Is CVE-2026-42235 actively exploited?

No confirmed active exploitation of CVE-2026-42235 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42235?

1. Patch immediately: upgrade to n8n 1.123.32 (v1 branch), 2.17.4, or 2.18.1 — all three branches are patched. 2. If patching is not immediately possible, block unauthenticated access to the MCP OAuth client registration endpoint at the network or reverse-proxy layer. 3. Audit n8n logs for OAuth client registrations containing HTML or script tags in client_name fields — these are indicators of exploitation attempts. 4. Rotate all credentials stored in n8n workflows (API keys, OAuth tokens, service accounts) if the instance was internet-accessible prior to patching. 5. Review workflow execution logs for anomalous or unauthorized runs that may indicate post-exploitation abuse. 6. Enumerate all MCP OAuth clients currently registered and revoke any unrecognized entries.

What systems are affected by CVE-2026-42235?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation platforms, MCP-connected agent systems, Multi-agent orchestration, Enterprise AI integration layers.

What is the CVSS score for CVE-2026-42235?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksWorkflow automation platformsMCP-connected agent systemsMulti-agent orchestrationEnterprise AI integration layers

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0021 Establish Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 1.2, MANAGE 2.2
OWASP LLM Top 10: LLM05, LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploitation Scenario

An adversary targeting an organization that uses n8n to orchestrate AI agent workflows discovers the public MCP OAuth registration endpoint. The attacker registers a client with client_name set to a JavaScript payload such as a cookie-stealing script pointed at an attacker-controlled server. When a legitimate n8n developer or admin authorizes the OAuth consent dialog — for example, while onboarding a third-party AI tool integration — and an admin subsequently revokes that access, a toast notification in the authenticated user's browser renders the unescaped client_name. The admin clicks the notification, silently exfiltrating their session token. The attacker uses the stolen session to access all n8n workflows, extract API keys for connected LLM providers and databases, and plant backdoor workflows that periodically exfiltrate data or relay LLM queries through attacker-controlled infrastructure.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-87 Improper Neutralization of Alternate XSS Syntax Primary CWE-87 Improper Neutralization of Alternate XSS Syntax Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

References

Timeline

Published
April 29, 2026
Last Modified
May 4, 2026
First Seen
April 30, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed