CVE-2026-42230
Analyzed Analyzed - Analysis Complete
Open Redirect in n8n Workflow Automation Platform

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks "Deny" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
2026-05-05
NVD
CVE-2026-42230
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.32 (exc)
n8n n8n 2.18.0
n8n n8n From 2.17.0 (inc) to 2.17.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the n8n workflow automation platform prior to versions 1.123.32, 2.17.4, and 2.18.1. The /mcp-oauth/register endpoint allowed OAuth client registrations without requiring authentication, which meant that arbitrary redirect_uri values could be registered by anyone.

When a user denies the MCP OAuth consent dialog, the system's handleDeny handler redirects the user to the registered redirect_uri without validating it. This behavior enables an open redirect to an attacker-controlled URL.

An attacker can exploit this by crafting a phishing link and sending it to a victim. If the victim clicks "Deny" on the consent page, they are silently redirected to an external malicious site controlled by the attacker.

This issue has been fixed in versions 1.123.32, 2.17.4, and 2.18.1 of n8n.


How can this vulnerability impact me? :

This vulnerability can be exploited to perform phishing attacks by redirecting users to malicious external websites without their knowledge after they deny an OAuth consent.

Users may be tricked into visiting attacker-controlled sites, potentially leading to credential theft, malware installation, or other malicious activities.

Because the redirect occurs silently upon denial of consent, users might not suspect the redirection is malicious, increasing the risk of successful attacks.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade n8n to version 1.123.32, 2.17.4, or 2.18.1 or later, where the issue has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart