CVE-2026-56357
MediumCVSS 4.0Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
n8n versions before 1.123.15 and 2.5.0 contain a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
Risk Assessment
This vulnerability may lead to unauthorized workflow execution in n8n, potentially resulting in data leaks or other undesirable actions within the system.
Recommendation
It is recommended to update n8n to version 1.123.15 or 2.5.0 to patch this vulnerability and to implement additional security mechanisms for webhooks.
Original NVD description (English source)
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

