Improper Neutralization of Alternate XSS Syntax in n8n - #VU127217
Published: April 23, 2026
Vulnerability identifier: #VU127217
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-87
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: n8n
Affected software:
n8n
n8n
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript in a victim's authenticated browser session.
The vulnerability exists due to improper neutralization of alternate XSS syntax in the MCP OAuth client consent and revocation notification flow when rendering a crafted client_name. A remote attacker can register a malicious MCP OAuth client to execute arbitrary JavaScript in a victim's authenticated browser session.
User interaction is required to authorize the OAuth consent dialog and click the rendered link in the toast notification.
Remediation
Install security update from vendor's website.