Unauthenticated Access Vulnerability in n8n Workflow Automation Platform
CVE-2026-42236

8.7HIGH

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42236?

The n8n Workflow Automation Platform's MCP OAuth client registration endpoint is susceptible to unauthenticated requests. This vulnerability allows attackers to send large registration payloads, leading to potential resource exhaustion and making the n8n instance unavailable. Although MCP access can be toggled, this configuration does not limit client registrations. Users should upgrade to versions 1.123.32, 2.17.4, or 2.18.1 to mitigate this risk.

Affected Version(s)

n8n < 1.123.32 < 1.123.32

n8n >= 2.17.0, < 2.17.4 < 2.17.0, 2.17.4

n8n >= 2.18.0, < 2.18.1 < 2.18.0, 2.18.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-49...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42236 Data

JSON

N8n-io

What is CVE-2026-42236?

Affected Version(s)

References

CVSS V4

Timeline