CVE-2026-54308
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In n8n before versions 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger nodes did not validate inbound requests. An unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data.
Risk Assessment
The risk involves an attacker executing unauthorized actions in the workflow, potentially leading to data integrity breaches or unauthorized access to systems.
Recommendation
Update n8n to version 2.25.7 or 2.26.2 immediately, which contain the fix for this vulnerability.
Original NVD description (English source)
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.

