GHSA-537j-gqpc-p7fq: n8n Vulnerable to XSS via MCP OAuth client
Summary
n8n (a workflow automation tool) has a vulnerability where an attacker could inject malicious code through a fake OAuth client name, causing it to run in a victim's browser when they revoke access. This XSS (cross-site scripting, injecting malicious code into a webpage) attack could let attackers steal login credentials, take over sessions, or modify workflows.
Solution / Mitigation
This issue has been fixed in n8n version 2.14.2. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only, or disable MCP server functionality if not actively required. However, the source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Vulnerability Details
EPSS: 0.0%
Yes
April 29, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
CVE-2026-40087: LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-str
Original source: https://github.com/advisories/GHSA-537j-gqpc-p7fq
First tracked: April 29, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%