{"id":108678,"date":"2026-05-12T15:53:27","date_gmt":"2026-05-12T13:53:27","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=108678"},"modified":"2026-05-12T15:53:29","modified_gmt":"2026-05-12T13:53:29","slug":"n8n-overdos-vulnerability-cve-2026-42236","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/","title":{"rendered":"OverDoS: Taking Down Over 70,000 n8n Instances"},"content":{"rendered":"<style type=\"text\/css\">\n@import url(\"https:\/\/cmxiv.net\/cxzero\/cxzero-blog-styles-inject.extracted.css\");\n@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");\n<\/style>\n<script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script>\n<script>hljs.highlightAll();<\/script>\n\n\n\n\n<p class=\"print-source-info\"><script>\n    document.write(\"&copy;&nbsp;Checkmarx, all rights reserved.<\/script>\n    <noscript>This document &copy;&nbsp;Checkmarx, all rights reserved.<\/noscript>\n<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">OverDoS Executive Summary<\/h2>\n\n\n\n<p>The Checkmarx Zero team has discovered vulnerabilities in n8n, most notably an <strong>unauthenticated<\/strong> denial-of-service flaw that allows attackers to take down <strong>any internet-facing n8n instance <\/strong>(or indeed any instance an attacker can connect to). Tracked as <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-49m9-pgww-9vq6\">CVE-2026-42236<\/a>, this vulnerability has been assigned a High severity rating with a CVSS 4.0 base score of 8.7 (<a href=\"https:\/\/www.first.org\/cvss\/calculator\/4.0#CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/VI:N\/VA:H\/SC:N\/SI:N\/SA:N\">CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/VI:N\/VA:H\/SC:N\/SI:N\/SA:N<\/a>). We refer to this specific vulnerability as \u201cOverDoS\u201d.<\/p>\n\n\n\n<p>Alongside OverDoS, we also identified a moderate-severity Open Redirect, tracked as <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-f6x8-65q6-j9m9\">CVE-2026-42230<\/a>, with a CVSS 4.0 base score of 5.1 (<a href=\"https:\/\/www.first.org\/cvss\/calculator\/4.0#CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:A\/VC:L\/VI:N\/VA:N\/SC:L\/SI:N\/SA:N\">CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:A\/VC:L\/VI:N\/VA:N\/SC:L\/SI:N\/SA:N<\/a>).<\/p>\n\n\n\n<p>CVEs were published on 26. April 2026. Both issues were reported to n8n and patched promptly; our thanks to the n8n team for their exemplary handling of these issues.<\/p>\n\n\n<section class=\"section-quote-share light-theme\">\n    <div class=\"main-wrapper section-quote-share__wrapper\">\n        <div class=\"section-quote-share__container\">\n            <div class=\"section-quote-share__quote\">\n                <h1 class=\"section-quote-share__text\">\n                    &ldquo;The Checkmarx Zero team discovered a critical Denial of Service in n8n, called OverDoS, that lets attackers take down any n8n instance they can connect to.&rdquo;                <\/h1>\n            <\/div>\n\n            <div class=\"section-quote-share__share-area\">\n                <p class=\"section-quote-share__share-label\">\n                    Spread the news                <\/p>\n\n                <div class=\"section-quote-share__buttons\">\n                                        <button class=\"section-quote-share__button\" data-platform=\"twitter\" aria-label=\"Share on X (Twitter)\">\n                        <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                            <path d=\"M0.133 0H6.3175L11.8212 7.8715L18.4275 0H20.4033L12.5737 8.9495L21 21H14.819L9.07025 12.7802L1.974 21H0L8.31775 11.704L0.133 0Z\" fill=\"currentColor\"><\/path>\n                        <\/svg>\n                    <\/button>\n                    \n                                        <button class=\"section-quote-share__button\" data-platform=\"linkedin\" aria-label=\"Share on LinkedIn\">\n                        <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"25\" height=\"25\" viewbox=\"0 0 25 25\" fill=\"none\">\n                            <path d=\"M3 6.005C4.66667 6.005 6 4.64971 6 3.0025C6 1.3553 4.64583 0 3 0C1.35417 0 0 1.3553 0 3.0025C0 4.64971 1.35417 6.005 3 6.005ZM8.85417 8.27773V25H14.0208V16.7431C14.0208 14.5538 14.4375 12.4479 17.125 12.4479C19.8125 12.4479 19.8125 14.95 19.8125 16.8682V25H25V15.8257C25 11.3219 24.0417 7.86072 18.7917 7.86072C16.2708 7.86072 14.5833 9.23687 13.8958 10.5505H13.8333V8.25688H8.875L8.85417 8.27773ZM0.416667 8.27773H5.60417V25H0.416667V8.27773Z\" fill=\"currentColor\"><\/path>\n                        <\/svg>\n                    <\/button>\n                    \n                                        <button class=\"section-quote-share__button\" data-platform=\"bluesky\" aria-label=\"Share on Bluesky\">\n                        <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"30\" height=\"30\" viewbox=\"0 0 30 30\" fill=\"none\">\n                            <path d=\"M15 13.7615C13.9128 11.5822 10.9536 7.51937 8.202 5.51704C5.5656 3.59886 4.5612 3.92928 3.9024 4.23867C3.1392 4.59136 3 5.80044 3 6.50954C3 7.22113 3.378 12.3371 3.624 13.1922C4.44 16.0138 7.3368 16.9667 10.008 16.661C6.096 17.2588 2.6196 18.7277 7.176 23.96C12.1896 29.3124 14.0472 22.8128 15 19.5173C15.9528 22.8128 17.0496 29.0785 22.7328 23.96C27 19.5173 23.9052 17.2588 19.9932 16.661C22.6632 16.9667 25.5612 16.0138 26.376 13.1922C26.622 12.3383 27 7.22113 27 6.51078C27 5.7992 26.8608 4.5926 26.0976 4.23619C25.4388 3.92928 24.4344 3.59639 21.798 5.51456C19.0464 7.52061 16.086 11.5834 15 13.7615Z\" fill=\"currentColor\"><\/path>\n                        <\/svg>\n                    <\/button>\n                    \n                                        <button class=\"section-quote-share__button\" data-platform=\"mastodon\" aria-label=\"Share on Mastodon\">\n                        <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewbox=\"0 0 24 24\" fill=\"none\">\n                            <path d=\"M23.9033 5.31343C23.5336 2.73482 21.1388 0.702485 18.2997 0.308801C17.8207 0.242217 16.006 0 11.8021 0H11.7708C7.56589 0 6.66378 0.242217 6.18483 0.308801C3.42488 0.691552 0.904425 2.51756 0.292924 5.12681C-0.00117595 6.41176 -0.032576 7.83648 0.0221241 9.14315C0.0999742 11.0173 0.115074 12.888 0.296474 14.7544C0.42187 15.9942 0.640583 17.2241 0.950975 18.4349C1.53223 20.6709 3.88528 22.5318 6.19063 23.2912C8.65883 24.0829 11.3131 24.2143 13.8564 23.6708C14.1355 23.6098 14.412 23.5389 14.6853 23.4581C15.3037 23.2737 16.028 23.0675 16.5606 22.7053C16.5679 22.7002 16.5739 22.6937 16.5781 22.6861C16.5823 22.6786 16.5847 22.6702 16.5849 22.6617V20.8531C16.5849 20.8451 16.5829 20.8373 16.5791 20.8301C16.5753 20.823 16.5698 20.8167 16.5631 20.8119C16.5564 20.8069 16.5487 20.8035 16.5404 20.8017C16.5321 20.8 16.5235 20.8 16.5152 20.8018C14.8858 21.1671 13.216 21.3502 11.5407 21.3473C8.65749 21.3473 7.88213 20.0635 7.66018 19.5291C7.4816 19.0671 7.36822 18.5852 7.32293 18.0956C7.32234 18.0874 7.32396 18.0792 7.32763 18.0717C7.33113 18.0641 7.33653 18.0574 7.34348 18.0522C7.35022 18.047 7.3582 18.0433 7.36674 18.0416C7.37528 18.0399 7.38415 18.0401 7.39258 18.0422C8.99496 18.4049 10.6375 18.588 12.2858 18.5876C12.6822 18.5876 13.0775 18.5876 13.4739 18.5776C15.1317 18.5341 16.8791 18.4545 18.51 18.1555C18.5508 18.148 18.5915 18.1413 18.6264 18.1316C21.1991 17.6679 23.6475 16.2128 23.8962 12.528C23.9054 12.383 23.9288 11.0086 23.9288 10.8581C23.9299 10.3465 24.1043 7.22892 23.9033 5.31343ZM19.7635 8.21064V14.617H17.0582V8.39937C17.0582 7.09036 16.4769 6.42269 15.2946 6.42269C13.9947 6.42269 13.3437 7.21259 13.3437 8.77227V12.1758H10.6549V8.77227C10.6549 7.21259 10.0026 6.42269 8.70289 6.42269C7.52753 6.42269 6.94043 7.09036 6.94043 8.39937V14.617H4.23648V8.21064C4.23648 6.90168 4.59253 5.86172 5.30478 5.09082C6.03943 4.32185 7.00323 3.9269 8.19944 3.9269C9.58404 3.9269 10.6303 4.42653 11.3279 5.42464L12.0011 6.48496L12.6753 5.42464C13.3728 4.42653 14.4191 3.9269 15.8013 3.9269C16.9965 3.9269 17.9602 4.32185 18.6973 5.09082C19.4089 5.86097 19.7642 6.90093 19.7635 8.21064Z\" fill=\"currentColor\"><\/path>\n                        <\/svg>\n                    <\/button>\n                    \n                                        <button class=\"section-quote-share__button\" data-platform=\"share\" aria-label=\"Share\">\n                        <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewbox=\"0 0 24 24\" fill=\"none\">\n                            <path d=\"M13.1008 4.45698e-06C12.4986 4.45698e-06 11.9812 0.207162 11.5484 0.621478C11.1156 1.03579 10.8804 1.55369 10.8428 2.17516C10.8052 2.79663 10.998 3.34278 11.4214 3.81359C11.8448 4.28441 12.3716 4.53864 13.002 4.57631C13.6323 4.61397 14.1827 4.42094 14.6531 3.99721C15.1235 3.57348 15.3775 3.04617 15.4152 2.41528C15.4528 1.78439 15.2599 1.22883 14.8366 0.748598C14.4132 0.268368 13.8816 0.018837 13.2419 4.45698e-06H13.1008ZM10.6452 2.68364L4.09716 6.017C4.47348 6.39365 4.70869 6.84563 4.80277 7.37294L11.3226 4.03958C10.9651 3.66293 10.7393 3.21095 10.6452 2.68364ZM15.3587 3.44636C15.1141 3.91717 14.7566 4.27499 14.2862 4.51981L19.4513 9.71759C19.6959 9.24678 20.0628 8.88896 20.552 8.64414L15.3587 3.44636ZM11.3508 4.06783L7.54054 11.5538L8.66952 12.6837L12.7056 4.77405C12.1788 4.67989 11.7272 4.44448 11.3508 4.06783ZM14.2862 4.51981C13.8722 4.72697 13.4394 4.82113 12.9879 4.8023L12.7621 4.77405L13.3548 8.50289L14.9353 8.75713L14.2862 4.51981ZM2.26257 5.48027C1.66044 5.48027 1.143 5.69214 0.710222 6.11587C0.277447 6.5396 0.0422429 7.0575 0.0046103 7.66955C-0.0330223 8.28161 0.159845 8.82775 0.583212 9.30798C1.00658 9.78821 1.53814 10.0425 2.17789 10.0707C2.81765 10.0989 3.37273 9.90121 3.84314 9.47748C4.31354 9.05374 4.56286 8.52643 4.59108 7.89554C4.61931 7.26465 4.42174 6.7138 3.99837 6.24299C3.575 5.77217 3.05285 5.51794 2.43191 5.48027H2.26257ZM4.80277 7.40119C4.82158 7.57068 4.83099 7.74017 4.83099 7.90967C4.81217 8.26748 4.71809 8.59705 4.54875 8.89837L8.27437 9.4916L9.00821 8.07916L4.80277 7.40119ZM11.1533 8.41815L10.4194 9.85883L19.1972 11.243C19.1784 11.0924 19.169 10.9323 19.169 10.7628C19.1878 10.405 19.2819 10.066 19.4513 9.74584L11.1533 8.41815ZM21.6528 8.58764C21.0506 8.60647 20.5332 8.82304 20.1004 9.23736C19.6676 9.65168 19.4371 10.1696 19.4089 10.791C19.3807 11.4125 19.5783 11.9587 20.0016 12.4295C20.425 12.9003 20.9519 13.1545 21.5822 13.1922C22.2125 13.2299 22.7629 13.0368 23.2333 12.6131C23.7037 12.1894 23.9578 11.6573 23.9954 11.017C24.033 10.3767 23.8402 9.82117 23.4168 9.35036C22.9934 8.87954 22.4619 8.6253 21.8221 8.58764H21.6528ZM4.54875 8.95487C4.30413 9.42569 3.93722 9.7835 3.44799 10.0283L9.37513 15.9606L10.8146 15.2544L4.54875 8.95487ZM3.41977 10.0283C3.02463 10.2355 2.61067 10.3296 2.17789 10.3108L1.92387 10.2826L3.05285 17.5143C3.44799 17.3259 3.87136 17.2412 4.32295 17.26L4.54875 17.2883L3.41977 10.0283ZM13.6935 10.6498L15.0482 19.4352C15.4434 19.2469 15.8573 19.1621 16.2901 19.1809L16.5724 19.2092L15.274 10.904L13.6935 10.6498ZM19.1972 11.2995L15.8668 12.9944L16.0925 14.5764L19.9028 12.6555C19.5265 12.2788 19.2913 11.8268 19.1972 11.2995ZM19.9311 12.6837L16.5724 19.2092C17.0992 19.3033 17.5508 19.5388 17.9271 19.9154L21.2858 13.3899C20.759 13.2958 20.3074 13.0604 19.9311 12.6837ZM6.52446 13.5029L4.6052 17.2883C5.13205 17.3824 5.58364 17.6178 5.95997 17.9945L7.65344 14.6329L6.52446 13.5029ZM13.9193 13.9832L5.98819 18.0227C6.3457 18.3994 6.5715 18.8514 6.66558 19.3787L14.1451 15.5651L13.9193 13.9832ZM12.3669 16.808L10.9275 17.5143L13.9193 20.5369C14.1639 20.0661 14.5308 19.7082 15.02 19.4634L12.3669 16.808ZM4.1536 17.486C3.55148 17.486 3.02933 17.6979 2.58715 18.1216C2.14496 18.5453 1.90976 19.0632 1.88154 19.6753C1.85331 20.2873 2.05088 20.8288 2.47425 21.2996C2.89762 21.7704 3.42447 22.0246 4.05482 22.0623C4.68517 22.1 5.23554 21.9069 5.70595 21.4832C6.17636 21.0595 6.43038 20.5322 6.46801 19.9013C6.50564 19.2704 6.31278 18.7195 5.88941 18.2487C5.46604 17.7779 4.93448 17.5237 4.29473 17.486H4.1536ZM6.66558 19.4069C6.70321 19.5764 6.71262 19.7459 6.69381 19.9154C6.67499 20.2732 6.59032 20.6028 6.43979 20.9041L13.6652 22.0623C13.6464 21.8928 13.637 21.7233 13.637 21.5538C13.6558 21.2148 13.7499 20.8853 13.9193 20.5651L6.66558 19.4069ZM16.1208 19.4069C15.5187 19.4069 15.0012 19.6188 14.5684 20.0425C14.1357 20.4663 13.9052 20.9842 13.8769 21.5962C13.8487 22.2083 14.0416 22.7544 14.4555 23.2346C14.8695 23.7149 15.3963 23.9691 16.0361 23.9974C16.6759 24.0256 17.2309 23.8279 17.7013 23.4041C18.1717 22.9804 18.4258 22.4531 18.4634 21.8222C18.501 21.1913 18.3082 20.6405 17.8848 20.1696C17.4614 19.6988 16.9299 19.4446 16.2901 19.4069H16.1208Z\" fill=\"currentColor\"><\/path>\n                        <\/svg>\n                    <\/button>\n                    \n                                    <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n\n<h3 class=\"wp-block-heading\">Vulnerable versions:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&lt; 1.123.32<\/li>\n\n\n\n<li>&lt; 2.18.1<\/li>\n\n\n\n<li>&lt; 2.17.4<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"OverDoS:TakingDownOver70,000n8nInstances-Patchedversions:\">Patched versions:<\/h3>\n\n\n\n<p>Users should upgrade to one of the following patched versions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&gt;= 1.123.32<\/li>\n\n\n\n<li>&gt;= 2.18.1<\/li>\n\n\n\n<li>&gt;= 2.17.4<\/li>\n<\/ul>\n\n\n\n<p><strong>Note:<\/strong> No setting or feature toggle mitigates this issue; for internet-facing instances, upgrading is the only fix. If upgrading is not immediately possible, restrict network access to the instance (e.g., VPN, SSO-gated reverse proxy, or IP allowlist).<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Exploiting n8n OverDoS: quick video demo<\/h2>\n\n\n\n<p>Let\u2019s start with a quick demo showing how the database size increases as unauthenticated requests are sent to the server, leading eventually to a filled database and a non-responsive instance, denying further service. This is what it looks like to exploit OverDoS:<\/p>\n\n\n\n<div class=\"cxzero-video-include\">\n<video muted controls controlslist=\"nodownload noremoteplayback\">\n<source src=\"\/wp-content\/uploads\/2026\/05\/Checkmarx-Zero-n8n-overDOS-demo-2026-05.mp4\" type=\"video\/mp4\">\n<p><em>Your browser cannot display this video content<\/em><\/p>\n<\/video>\n<p class=\"caption\">A video demo of exploiting OverDoS<\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Technical Analysis of OverDoS and Open Redirect vulnerabilities<\/h2>\n\n\n\n<p>Checkmarx Zero routinely researches popular open-source tools and frameworks including <a href=\"https:\/\/n8n.io\/\">n8n<\/a>, a widely used no-code workflow automation framework. (We&#8217;ve previously published <a href=\"https:\/\/checkmarx.com\/zero-post\/same-origin-same-tricks-bypassing-n8ns-csp-sandbox-cve-2026-27578\/\">a stored XSS stemming from a CSP sandbox bypass<\/a> in the n8n system, for example.)<\/p>\n\n\n\n<p>In one of our recent projects, we uncovered a high-severity unauthenticated Denial of Service (DoS) vulnerability, a moderate-severity Open Redirect flaw, and a few additional risks that organizations adopting n8n should be aware of. All of them trace back to an overly permissive feature that allows MCP clients to connect to an n8n instance: <strong>Dynamic Client Registration (DCR).<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dynamic Client Registration (DCR)<\/h3>\n\n\n\n<p>In a typical <a href=\"https:\/\/frontegg.com\/blog\/oauth\">OAuth<\/a> setup, registering a client is a manual job: an administrator provisions each client on the authorization server in advance, exchanging credentials and metadata out of band before the client can authenticate anyone. That works fine when you know your clients ahead of time \u2014 but this process doesn\u2019t hold if you want clients to onboard themselves at runtime.<\/p>\n\n\n\n<p>That&#8217;s the gap <strong>Dynamic Client Registration<\/strong> (DCR), defined in <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc7591\">RFC 7591<\/a>, was designed to fill. The short version is that any client can register itself against the authorization server by sending a POST request to a server endpoint (often, a publicly-accessible one), with a JSON payload describing itself (including parameters like <code>redirect_uris<\/code>, <code>client_name<\/code>, <code>grant_types<\/code>, and so on).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Just Flexible Enough to Snap Back in Your Face<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"400\" height=\"170\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hiccup-branch.gif\" alt=\"\" class=\"wp-image-108680\"><\/figure>\n<\/div>\n\n\n<p>Every property that makes DCR useful is also a potential entry point for an attacker&#8217;s payload.<\/p>\n\n\n\n<p>The user input sent to that public endpoint is reused across the server&#8217;s flows. It gets persisted in a database, rendered in consent screens, used to redirect the user to attacker-supplied links, and more. Every one of those touchpoints is a place where attacker-controlled metadata can be weaponized if it isn&#8217;t tightly handled. The specifications themselves leave most of this to the implementer \u2014 rate limiting, URI validation, and endpoint authentication. All of which is a polite way of saying that every DCR-enabled server is on its own, and implementing any of those wrong (or not at all) is exactly what attackers look for.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">n8n Implementation<\/h3>\n\n\n\n<p>n8n provides a DCR endpoint as part of it\u2019s MCP (Model Context Protocol) features. It exposes MCP OAuth client registration endpoint on every default instance \u2014 and, crucially, the MCP enable\/disable toggle that operators use to &#8220;turn the feature off&#8221; doesn&#8217;t block registration. It only prevents <em>use<\/em>. <strong>The endpoint stays open, anonymous, and writable whether the MCP feature is enabled or not.<\/strong><\/p>\n\n\n\n<p>The only things standing between an attacker and arbitrary writes to the database are two settings: a cap on request body size (via the <code>N8N_PAYLOAD_SIZE_MAX<\/code> <a href=\"https:\/\/docs.n8n.io\/hosting\/configuration\/environment-variables\/endpoints\/#:~:text=N8N_PAYLOAD_SIZE_MAX,size%20in%20MiB.\">environment variable, which has a 16MB default value<\/a>), and a per-IP rate limit of <a href=\"https:\/\/github.com\/n8n-io\/n8n\/blob\/66087e2dd5efc0ec8c8b6da6074122400cdc6540\/packages\/cli\/src\/modules\/mcp\/mcp.oauth.controller.ts#L30-L33\">10 requests every 5 minutes<\/a>. Multiply those together, and a single IP can shovel ~160 MB of attacker-controlled metadata into storage every five minutes.<\/p>\n\n\n\n<p>And that per-IP restriction becomes useless as an anti-DoS measure the moment an attacker reaches for cloud infrastructure, connects via rotating VPNs, or any of the dozen other simple ways attackers can make their connections come from multiple IPs. Disk and memory are the limits; nothing in the registration path enforces a real ceiling.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">OverDoS Vulnerable Blast Radius<\/h2>\n\n\n\n<p>A single <a href=\"https:\/\/www.shodan.io\/\">Shodan<\/a> query \u2014 <code>http.title:\"n8n.io - Workflow Automation\"<\/code> \u2014 returns just over <strong>70,000 publicly reachable n8n instances<\/strong>, and that number is a floor, not a ceiling.<\/p>\n\n\n\n<p>Every one of these instances is vulnerable by default. The bug doesn&#8217;t require a misconfiguration to trigger; the registration endpoint ships exposed, anonymous, and writable on a fresh install. And at the time of disclosure, there&#8217;s no operator-side mitigation that meaningfully shrinks that number.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"450\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-shodan-results-n8n-overdos-1024x450.png\" alt=\"\" class=\"wp-image-108681\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-shodan-results-n8n-overdos-1024x450.png 1024w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-shodan-results-n8n-overdos-300x132.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-shodan-results-n8n-overdos-768x337.png 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-shodan-results-n8n-overdos-1536x675.png 1536w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-shodan-results-n8n-overdos-400x176.png 400w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-shodan-results-n8n-overdos.png 1892w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Redacted image of Shodan query results page<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">Beyond OverDoS: Open Redirects and Scamming Users<\/h2>\n\n\n\n<p>The DoS is the loudest thing the registration endpoint hands an attacker, but it isn&#8217;t the only thing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Open Redirect on Deny<\/h3>\n\n\n\n<p>Remember the attacker-controlled <code>redirect_uri<\/code> from the registration payload? n8n honors it on approval \u2014 that&#8217;s the OAuth flow doing its job. But it also honors it on <strong>deny<\/strong>. So the <code>handleDeny<\/code> <a href=\"https:\/\/github.com\/n8n-io\/n8n\/blob\/4f4644b82225abc4416242557d745709d92ff2ad\/packages\/frontend\/editor-ui\/src\/app\/views\/OAuthConsentView.vue#L49-L52\">handler sends the user to the same registered URI<\/a> in both cases. Approved? You go to the attacker. Refused? Yep, still go to the attacker. There&#8217;s no third door.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"dark\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_6e865508ef68a03ce9bfcf25251f8769\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_6e865508ef68a03ce9bfcf25251f8769\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">const handleDeny = async () =&gt; {\r\n\ttry {\r\n\t\tconst response = await consentStore.approveConsent(false);\r\n\t\twindow.location.href = response.redirectUrl;<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>The fix is as simple as changing one line: on deny, redirect to the n8n dashboard. There&#8217;s no reason to honor a destination chosen by the party that the user just declined to trust.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"OverDoS:TakingDownOver70,000n8nInstances-DressingUptheConsentDialog\">Dressing Up the Consent Dialog<\/h3>\n\n\n\n<p>Clicking Allow grants the MCP full access to the user&#8217;s workflows \u2014 that&#8217;s the consent flow working. The interesting question is everything that happens <em>before<\/em> the click.<\/p>\n\n\n\n<p>And there&#8217;s a cheap move an unauthenticated attacker can pull. The client_name is attacker-supplied and rendered directly in the consent dialog. And so is the icon \u2014 n8n derives it through a <a href=\"https:\/\/github.com\/n8n-io\/n8n\/blob\/4f4644b82225abc4416242557d745709d92ff2ad\/packages\/frontend\/editor-ui\/src\/app\/views\/OAuthConsentView.vue#L28-L37\">simple substring match against a list of known integrations<\/a>. Drop &#8220;Claude&#8221; into the client name field, and your malicious client shows up in the consent dialog with Anthropic&#8217;s logo next to it.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"dark\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_9430def442f26ea539d9836aa37570d1\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_9430def442f26ea539d9836aa37570d1\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">const clientIcon = computed(() =&gt; {\r\n\tconst clientName = clentDetails.value?.clientName?.toLowerCase() ?? &#039;&#039;;\r\n\tif (ANTHROPIC_CLIENTS.some((name) =&gt; clientName.includes(name))) {\r\n\t\treturn &#039;anthropic&#039;;\r\n\t} else if (LOVABLE_CLIENTS.some((name) =&gt; clientName.includes(name))) {\r\n\t\treturn &#039;lovable&#039;;\r\n\t} else {\r\n\t\treturn &#039;mcp&#039;;\r\n\t}\r\n});<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>This isn&#8217;t a bug in the strict sense. It&#8217;s the DCR pattern paying out exactly what it promises: whatever metadata the client supplies, the server trusts and renders. It doesn&#8217;t take much imagination to see how this plays into a social engineering attack\u2014one that ends with an attacker listing and executing the victim&#8217;s workflows.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">Could AI security tools find the OverDOS vulnerability?<\/h2>\n\n\n\n<p>No zero-day analysis today feels complete without asking what AI tools would find on the same target. The CVE had been public for two weeks at the time of running these tests, which may affect their accuracy \u2014 but here&#8217;s what Claude Opus and Codex 5.5 found when reviewing this code.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"OverDoS:TakingDownOver70,000n8nInstances-ClaudeOpus\">Claude Opus<\/h3>\n\n\n\n<p>We previously <a href=\"https:\/\/checkmarx.com\/zero-post\/learning-about-llm-based-zero-day-hunting-with-claude-codes-opus-4-6\/\">pointed Opus at the full n8n repository and asked it to find vulnerabilities<\/a> \u2014 it missed this one. We wanted to see whether it could catch the issue when directed at the specific module and controller where the vulnerability lives.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"OverDoS:TakingDownOver70,000n8nInstances-\/Security-ReviewtheOAuthController\">\/Security-Review the OAuth Controller<\/h4>\n\n\n\n<p>With a more focused scope, it succeeded:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"865\" height=\"164\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-narrow.png\" alt=\"Screenshot showing a code vulnerability report titled 'Open dynamic client registration with weak rate limit'. It includes a code snippet for '\/mcp-oauth\/register' with 'skipAuth: true' and an IP rate limit, and text explaining that this allows public, ungated client registration without an initial access token, enabling attackers to persist client data.\" class=\"wp-image-108684\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-narrow.png 865w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-narrow-300x57.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-narrow-768x146.png 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-narrow-400x76.png 400w\" sizes=\"(max-width: 865px) 100vw, 865px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\">\/Security-Review the MCP Module<\/h4>\n\n\n\n<p>With the controller-level scan working, we widened the scope to the full MCP module. Opus still caught the issue:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"899\" height=\"92\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-broad.png\" alt=\"Screenshot showing chat segment titled \u201cH-4. Open, unauthenticated dynamic client registration.\u201d The location is listed as mcp.oauth.controller.ts lines 30\u201334 and mcp-oauth-service.ts lines 64\u201386. Body text explains that the \/mcp-oauth\/register endpoint is skipAuth: true with only IP rate-limiting of 10 requests per 5 minutes. registerClient accepts arbitrary client_name and redirect_uris with no validation, allowing no scheme, no length limit, no character restrictions, and no host validation.\" class=\"wp-image-108683\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-broad.png 899w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-broad-300x31.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-broad-768x79.png 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-claude-found-broad-400x41.png 400w\" sizes=\"(max-width: 899px) 100vw, 899px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Codex 5.5<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"OverDoS:TakingDownOver70,000n8nInstances-SecurityAnalysisattheControllerLevel\">Security Analysis at the Controller Level<\/h4>\n\n\n\n<p>At the controller level, Codex 5.5 (with extra-high reasoning) flagged the issue. I \u2014 and the n8n team \u2014 disagree with Codex on the severity rating given the massive potential impact, but the vulnerability was correctly identified:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"813\" height=\"132\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-found-narrow.png\" alt=\"Screenshot of chat session with a bullet labeled \u201cLow\/Medium: public dynamic registration can grow persistent DB state indefinitely.\u201d It states that mcp.oauth.controller.ts line 30 allows unauthenticated writes to oauth_clients. IP rate limiting exists, but there is no ownership, expiry, cleanup, or global cap, so a distributed attacker could still fill the table with clients. Suggested mitigations include client TTL or garbage collection for unconsented clients, stricter body and field limits, or feature-gating dynamic registration.\" class=\"wp-image-108685\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-found-narrow.png 813w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-found-narrow-300x49.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-found-narrow-768x125.png 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-found-narrow-400x65.png 400w\" sizes=\"(max-width: 813px) 100vw, 813px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\">Security Analysis at the MCP Module Level<\/h4>\n\n\n\n<p>With the same settings but a widened scope to the module-level scan, Codex flagged the DCR pattern as a social engineering risk (phishing via the consent screen) but missed the DoS vulnerability:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"380\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-failed-broad-1024x380.png\" alt=\"Chat screenshot showing a user asking whether DoS via the public dynamic client registration endpoint makes the project vulnerable and whether it was mentioned in prior findings. The assistant replies that it would add this as a finding, clarifying that DCR DoS was not explicitly mentioned before and that prior findings only touched DCR in the consent and phishing context. The response says the project is potentially vulnerable to storage or registration DoS because \/mcp-oauth\/register is public with skipAuth: true and each successful request inserts a persistent row into oauth_clients. It notes an IP rate limit of 10 requests per 5 minutes, but says that limit is only attached when inProduction is true and does not prevent distributed abuse or long-term database growth.\" class=\"wp-image-108686\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-failed-broad-1024x380.png 1024w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-failed-broad-300x111.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-failed-broad-768x285.png 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-failed-broad-400x148.png 400w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/checkmarx-zero-n8n-overdos-codex-failed-broad.png 1113w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\">Credit to the n8n team\u2019s partnership<\/h2>\n\n\n\n<p>One thing worth repeating: n8n takes security seriously. This is our third report to them, and every time the team has been responsive, communicative, and quick to ship fixes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"OverDoS:TakingDownOver70,000n8nInstances-DisclosureTimeline\">Disclosure Timeline<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"OverDoS:TakingDownOver70,000n8nInstances-OpenRedirect\u2014CVE-2026-42230\">Open Redirect \u2014 CVE-2026-42230<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Feb 23, 2026<\/strong> \u2014 Reported to n8n<\/li>\n\n\n\n<li>\n<strong>Mar 4, 2026<\/strong> \u2014 Report acknowledged<\/li>\n\n\n\n<li>\n<strong>Apr 22, 2026<\/strong> \u2014 Fix implemented and verified<\/li>\n\n\n\n<li>\n<strong>Apr 26, 2026<\/strong> \u2014 CVE-2026-42230 assigned<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"OverDoS:TakingDownOver70,000n8nInstances-DenialofService\u2014CVE-2026-42236\">Denial of Service \u2014 CVE-2026-42236<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Mar 5, 2026<\/strong> \u2014 Reported to n8n<\/li>\n\n\n\n<li>\n<strong>Mar 17, 2026<\/strong> \u2014 Report acknowledged<\/li>\n\n\n\n<li>\n<strong>Apr 22, 2026<\/strong> \u2014 Fix implemented and verified<\/li>\n\n\n\n<li>\n<strong>Apr 26, 2026<\/strong> \u2014 CVE-2026-42236 assigned<br>\n<\/li>\n<\/ul>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>","protected":false},"excerpt":{"rendered":"<p>The OverDoS vulnerability puts any attacker-accessible n8n deployment in the crosshairs, allowing malicious actors to fill the n8n database and deny service to legitimate users. And an adjacent Open Redirect allows attackers a path to scam legitimate users.<\/p>\n","protected":false},"author":121,"featured_media":108688,"template":"","zero-category":[1067,1176],"zero-tag":[1128,1484,1524,1084],"class_list":["post-108678","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-security-blogs","zero-tag-cve","zero-tag-n8n","zero-tag-overdos","zero-tag-vulnerability"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OverDoS: Taking Down Over 70,000 n8n Instances - Checkmarx<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OverDoS: Taking Down Over 70,000 n8n Instances - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"The OverDoS vulnerability puts any attacker-accessible n8n deployment in the crosshairs, allowing malicious actors to fill the n8n database and deny service to legitimate users. And an adjacent Open Redirect allows attackers a path to scam legitimate users.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-12T13:53:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/\",\"name\":\"OverDoS: Taking Down Over 70,000 n8n Instances - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp\",\"datePublished\":\"2026-05-12T13:53:27+00:00\",\"dateModified\":\"2026-05-12T13:53:29+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp\",\"width\":2560,\"height\":1280,\"caption\":\"A dark, grunge-style illustration of a hooded figure with glowing green eyes, holding a weapon emitting green user icons. A cracked data server with a red warning sign, dripping red, stands behind. A world map with red network lines and dripping green 'X' marks are in the background. A monitor with code and 'n8n' logo is in the foreground, with 'Checkmarx ZERO' text.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OverDoS: Taking Down Over 70,000 n8n Instances - Checkmarx","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/","og_locale":"en_US","og_type":"article","og_title":"OverDoS: Taking Down Over 70,000 n8n Instances - Checkmarx","og_description":"The OverDoS vulnerability puts any attacker-accessible n8n deployment in the crosshairs, allowing malicious actors to fill the n8n database and deny service to legitimate users. And an adjacent Open Redirect allows attackers a path to scam legitimate users.","og_url":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-05-12T13:53:29+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/","url":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/","name":"OverDoS: Taking Down Over 70,000 n8n Instances - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp","datePublished":"2026-05-12T13:53:27+00:00","dateModified":"2026-05-12T13:53:29+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/n8n-overdos-vulnerability-cve-2026-42236\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/cxzero-feature-n8n-overdos-cve-2026-42236.webp","width":2560,"height":1280,"caption":"A dark, grunge-style illustration of a hooded figure with glowing green eyes, holding a weapon emitting green user icons. A cracked data server with a red warning sign, dripping red, stands behind. A world map with red network lines and dripping green 'X' marks are in the background. A monitor with code and 'n8n' logo is in the foreground, with 'Checkmarx ZERO' text."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/108678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/121"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/108688"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=108678"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=108678"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=108678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}