OverDoS: Taking Down Over 70,000 n8n Instances

The Checkmarx Zero team discovered a high-severity unauthenticated denial-of-service vulnerability (OverDoS, CVE-2026-42236, CVSS 8.7) and a moderate Open Redirect (CVE-2026-42230) in n8n that stem from an exposed, writable Dynamic Client Registration endpoint; OverDoS lets attackers persist large amounts of metadata to fill databases and render internet-facing instances non-responsive, with roughly 70,000 reachable instances identified—both issues were reported and patched in April 2026.