Open Redirect Vulnerability in n8n Workflow Automation Platform
CVE-2026-42230

5.1MEDIUM

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42230?

The n8n workflow automation platform has an open redirect vulnerability affecting versions before 1.123.32, 2.17.4, and 2.18.1. The /mcp-oauth/register endpoint does not require authentication, allowing unauthorized client registrations. This flaw permits an attacker to register arbitrary redirect URIs. If a user denies the MCP OAuth consent, they can be redirected to an attacker-controlled site without any validation, facilitating phishing attacks. Users of n8n are advised to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

n8n < 1.123.32 < 1.123.32

n8n >= 2.17.0, < 2.17.4 < 2.17.0, 2.17.4

n8n >= 2.18.0, < 2.18.1 < 2.18.0, 2.18.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-f6...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42230 Data

JSON

N8n-io

What is CVE-2026-42230?

Affected Version(s)

References

CVSS V4

Timeline