A high-severity vulnerability in n8n’s Model Context Protocol (MCP) OAuth client registration endpoint allows unauthenticated remote attackers to exhaust server memory and render workflow automation instances completely unavailable, no credentials required.
Security researcher Ori-Ron disclosed the flaw, tracked as CVE-2026-42236, via GitHub Security Advisory GHSA-49m9-pgww-9vq6 on April 30, 2026. The vulnerability carries a CVSS 4.0 base score of 8.7 and a CVSS 3.1 score of High, with a full network-accessible attack vector, no authentication required, and zero user interaction needed.
For organizations running n8n as a core automation backbone, this flaw represents a serious availability risk that demands immediate action.
n8n is a widely adopted open-source workflow automation platform used by developers and enterprises to connect APIs, services, and AI-powered tools. Its growing integration with the Model Context Protocol (MCP), which powers AI assistant workflows in ChatGPT, Claude, Cursor, and Microsoft Copilot, makes it a high-value target.
With MCP now logging over 97 million monthly SDK downloads across more than 10,000 active servers globally, any vulnerability in this ecosystem carries cascading risk.
CVE-2026-42236: n8n MCP Vulnerability
The root cause lies in n8n’s MCP OAuth client registration endpoint, which accepted unauthenticated requests and stored client data without imposing any resource limits. An attacker could craft and repeatedly submit oversized registration payloads, causing the server to allocate unbounded memory until the n8n instance became completely unresponsive.
What makes this especially dangerous is the logic gap in the MCP toggle. The on/off toggle, meant to gate MCP functionality and control access-level features, did not restrict the client registration endpoint itself.
This means that even when MCP was explicitly disabled, systems were still fully exposed to this denial-of-service attack vector, giving administrators a false sense of protection.
The CVSS 4.0 vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N confirms the attack requires no special access, no complex conditions, and no user interaction.
While the flaw does not compromise confidentiality or integrity, the Availability: High impact is sufficient to cause full service disruption for any dependent applications or automated pipelines.
Affected Versions
All n8n deployments running versions below 1.123.32, below 2.17.4, or below 2.18.1 are vulnerable. This spans both the legacy 1.x branch and the current 2.x release track, indicating broad exposure across the user base. Given that n8n is frequently deployed in self-hosted Docker or cloud environments, many instances may be directly exposed to the internet.
| Branch | Vulnerable Versions | Patched Version |
|---|---|---|
| 1.x | < 1.123.32 | >= 1.123.32 |
| 2.17.x | < 2.17.4 | >= 2.17.4 |
| 2.18.x | < 2.18.1 | >= 2.18.1 |
The patches for CVE-2026-42236, released across versions 1.123.32, 2.17.4, and 2.18.1, implement two key remediations. First, an upper bound on the total number of registered MCP clients is enforced to prevent memory exhaustion from bulk registration flooding.
Second, the patch turns off new client creation entirely when MCP is toggled off on the instance, closing the logical bypass that previously made the toggle ineffective. These changes ensure the endpoint is both resource-capped and conditionally reachable only when MCP is intentionally active.
Mitigations
The primary remediation is to upgrade n8n immediately to version 1.123.32, 2.17.4, or 2.18.1, depending on your deployment branch. For teams where an immediate upgrade is not feasible, n8n recommends two temporary mitigations:
- Restrict network access to the n8n instance to prevent requests from untrusted external sources.
- Reduce the maximum accepted payload size by lowering the
N8N_PAYLOAD_SIZE_MAXenvironment variable from its default value.
Additionally, deploying a Web Application Firewall (WAF) in front of internet-exposed n8n instances can provide an additional layer of rate-limiting and payload filtering. These workarounds provide only partial protection; they do not fully remediate the vulnerability and should be treated as short-term measures while patching is prioritized.
CVE-2026-42236 does not exist in isolation. n8n has faced a string of serious security disclosures in 2026. In January, CVE-2026-21858 (dubbed “Ni8mare”) exposed a critical unauthenticated RCE vulnerability via webhook content-type confusion, allowing attackers to achieve full host compromise.
In March, two chained critical flaws, including a sandbox escape via CVE-2026-27577 (CVSS 9.4) enabled arbitrary command execution on the host. Most recently, CVE-2026-42231 and CVE-2026-42232 introduced Prototype Pollution flaws that were escalatable to RCE, and were patched in the same versions that addressed CVE-2026-42236.
This pattern signals that MCP-integrated endpoints are becoming a concentrated attack surface as AI-powered automation platforms scale. Security teams managing n8n deployments should treat the platform as a high-risk, internet-facing service and enforce strict patching cycles, network segmentation, and monitoring.
FAQ
Q1: Does CVE-2026-42236 allow data theft or code execution?
No, the vulnerability only impacts availability, causing memory exhaustion and service downtime with no confidentiality or integrity impact.
Q2: Is my n8n instance vulnerable even if I have MCP disabled?
Yes, the MCP toggle did not restrict the client registration endpoint, making all pre-patch instances vulnerable regardless of MCP configuration.
Q3: What is the fastest way to check if my instance is patched?
Log in to your n8n instance and verify that the version number is 1.123.32, 2.17.4, or 2.18.1 or later in the Settings panel.
Q4: Are there active exploits in the wild for CVE-2026-42236?
No confirmed large-scale exploitation has been reported, but the low attack complexity and the lack of authentication requirements make rapid weaponization a realistic risk.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
