AI Threat Alert
n8n's MCP OAuth client registration endpoint accepted unauthenticated POST requests with no rate limiting or payload size constraints, allowing any remote attacker to exhaust server memory by flooding it with large registration payloads. Critically, the MCP enable/disable toggle—the expected access control—did not protect this endpoint, meaning all n8n deployments were exposed regardless of their MCP configuration. With 75 prior CVEs in this package, an OpenSSF score of 6/10, and a risk score of 69/100, n8n carries elevated supply chain risk in AI agent pipelines where it commonly orchestrates LLM calls and external tool integrations. Patch immediately to versions 1.123.32, 2.17.4, or 2.18.1; if patching is not immediately feasible, block access to the MCP OAuth registration endpoint at the network perimeter via WAF or reverse proxy ACL.
What is the risk?
MEDIUM. The vulnerability is trivially exploitable—no authentication, no specialized knowledge, just HTTP requests—and can render n8n instances completely unavailable. Exploitation likelihood remains modest (EPSS 0.00082, top 76th percentile, not in CISA KEV, no public exploit or scanner template), but risk is elevated for organizations using n8n as a central AI agent orchestration layer where service disruption cascades into downstream LLM workflows and automated pipelines.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 1.123.32 | 1.123.32 |
Do you use n8n? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: Upgrade n8n to 1.123.32 (v1 branch), 2.17.4, or 2.18.1 immediately.
-
Network controls: If patching is not immediately possible, restrict access to the MCP OAuth client registration endpoint via WAF rules, reverse proxy ACLs, or network segmentation—block unauthenticated POST requests to that route.
-
Detection: Monitor for abnormal memory consumption on n8n hosts, unexpected spikes in POST requests to MCP-related endpoints, and OOM (out-of-memory) events in n8n process logs.
-
Verification: Do not rely on the MCP toggle for protection—confirm patched version is running.
-
Inventory: Identify all n8n deployments including self-hosted instances in CI/CD pipelines or agent stacks and prioritize internet-facing ones for immediate patching.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-42236?
n8n's MCP OAuth client registration endpoint accepted unauthenticated POST requests with no rate limiting or payload size constraints, allowing any remote attacker to exhaust server memory by flooding it with large registration payloads. Critically, the MCP enable/disable toggle—the expected access control—did not protect this endpoint, meaning all n8n deployments were exposed regardless of their MCP configuration. With 75 prior CVEs in this package, an OpenSSF score of 6/10, and a risk score of 69/100, n8n carries elevated supply chain risk in AI agent pipelines where it commonly orchestrates LLM calls and external tool integrations. Patch immediately to versions 1.123.32, 2.17.4, or 2.18.1; if patching is not immediately feasible, block access to the MCP OAuth registration endpoint at the network perimeter via WAF or reverse proxy ACL.
Is CVE-2026-42236 actively exploited?
No confirmed active exploitation of CVE-2026-42236 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-42236?
1. Patch: Upgrade n8n to 1.123.32 (v1 branch), 2.17.4, or 2.18.1 immediately. 2. Network controls: If patching is not immediately possible, restrict access to the MCP OAuth client registration endpoint via WAF rules, reverse proxy ACLs, or network segmentation—block unauthenticated POST requests to that route. 3. Detection: Monitor for abnormal memory consumption on n8n hosts, unexpected spikes in POST requests to MCP-related endpoints, and OOM (out-of-memory) events in n8n process logs. 4. Verification: Do not rely on the MCP toggle for protection—confirm patched version is running. 5. Inventory: Identify all n8n deployments including self-hosted instances in CI/CD pipelines or agent stacks and prioritize internet-facing ones for immediate patching.
What systems are affected by CVE-2026-42236?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LLM orchestration pipelines, MCP-enabled AI deployments.
What is the CVSS score for CVE-2026-42236?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034.002 Agentic Resource Consumption AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Exploitation Scenario
An adversary identifies an internet-facing n8n instance via Shodan, Censys, or subdomain enumeration. Without any credentials or prior access, they script a loop that repeatedly POSTs oversized JSON payloads to the MCP OAuth client registration endpoint. Since n8n stores each registration payload in server memory without limits or throttling, and the endpoint remains reachable even with MCP disabled, the server's available RAM is progressively exhausted. After a sustained flood—achievable in minutes with a basic HTTP client—the n8n process crashes or becomes unresponsive, taking all orchestrated AI workflows and LLM integrations offline. No AI or ML knowledge is required; the attack is within reach of any script-kiddie with a target IP and a curl command.
Weaknesses (CWE)
CWE-770 Allocation of Resources Without Limits or Throttling
Primary
CWE-770 Allocation of Resources Without Limits or Throttling
Primary
CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
- [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
- [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27495 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n