Main Vulnerability Database Vulnerabilities #VU127226

Open redirect in n8n - #VU127226

Published: April 23, 2026

Vulnerability identifier: #VU127226

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote attacker to redirect users to an external site and disclose limited sensitive information.

The vulnerability exists due to improper input validation in the MCP OAuth consent flow when handling OAuth client registration and consent denial requests. A remote attacker can register an arbitrary redirect_uri and send a crafted phishing link to redirect users to an attacker-controlled site and disclose limited sensitive information.

User interaction is required, and exploitation occurs if the victim clicks "Deny" on the consent page.

Remediation

Install security update from vendor's website.

Open redirect in n8n - #VU127226

Detailed vulnerability description

Remediation

Sources

Please verify you're human