CVE Catalog

CVE-2026-54308

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

In n8n before versions 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger nodes did not validate inbound requests. An unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data.

Risk Assessment

The risk involves an attacker executing unauthorized actions in the workflow, potentially leading to data integrity breaches or unauthorized access to systems.

Recommendation

Update n8n to version 2.25.7 or 2.26.2 immediately, which contain the fix for this vulnerability.

Original NVD description (English source)

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS