Home / Vulnerability Intelligence / CVE-2026-42235

CVE-2026-42235 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: May 6, 2026

n8n - Stored XSS

Published: May 4, 2026Updated: May 6, 2026Remote Exploitable

Overview

n8n < 1.123.32, 2.17.4, 2.18.1 contains a stored XSS caused by improper sanitization of client_name in MCP OAuth client registration, letting unauthenticated attackers execute arbitrary JavaScript in victim's session, exploit requires victim user interaction.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Attackers can execute arbitrary JavaScript in authenticated sessions, leading to credential theft, session hijacking, and privilege escalation.

Mitigation

Update to versions 1.123.32, 2.17.4, or 2.18.1 or later.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq

Related Resources

Details

CVE ID: CVE-2026-42235
Severity: Critical
CVSS Score: 9.6
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H