n8n MCP OAuth Client XSS Vulnerability

n8n, a workflow automation platform, is susceptible to a cross-site scripting (XSS) vulnerability (CVE-2026-42235) related to the registration of malicious MCP OAuth clients. An unauthenticated attacker can register an OAuth client with a crafted client_name containing malicious JavaScript. This vulnerability exists in versions prior to 2.14.2 and also affects versions 2.17.0 to 2.17.3 and 2.18.0. A successful exploit allows the attacker to execute arbitrary JavaScript within a victim’s authenticated n8n session, potentially leading to credential theft, session token theft, workflow manipulation, or privilege escalation. Defenders should prioritize patching to version 2.14.2 or later to mitigate the risk.

Attack Chain

1. An unauthenticated attacker registers a malicious MCP OAuth client with a crafted client_name containing XSS payload.
2. A victim user navigates to the n8n instance and is presented with the malicious OAuth consent dialog.
3. The victim user authorizes the malicious OAuth client, unknowingly injecting the attacker’s script into their session.
4. A second user, possibly an administrator, revokes the OAuth access granted to the malicious client.
5. This revocation triggers a toast notification to the original victim user.
6. The toast notification renders the attacker’s injected script from the crafted client_name.
7. The victim user clicks on the link within the toast notification.
8. The injected JavaScript executes within the victim’s authenticated n8n browser session, enabling the attacker to perform malicious actions such as stealing credentials, manipulating workflows, or escalating privileges.

Impact

Successful exploitation of this XSS vulnerability can lead to significant compromise of an n8n instance. Attackers can steal user credentials and session tokens, allowing them to impersonate legitimate users. Malicious actors could also modify or create workflows, leading to data breaches, system disruption, or unauthorized access. Privilege escalation is also possible, potentially granting attackers administrative control over the n8n platform. The number of potential victims depends on the exposure and user base of the vulnerable n8n instances.

Recommendation

• Upgrade n8n to version 2.14.2 or later to patch CVE-2026-42235, as recommended in the advisory.
• Deploy the Sigma rule Detect Suspicious n8n MCP OAuth Client Registration to identify attempts to register OAuth clients with suspicious names.
• If immediate patching is not feasible, restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only, as suggested in the advisory’s workaround.