CVE Catalog

CVE-2026-56357

MediumCVSS 4.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

n8n versions before 1.123.15 and 2.5.0 contain a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

Risk Assessment

This vulnerability may lead to unauthorized workflow execution in n8n, potentially resulting in data leaks or other undesirable actions within the system.

Recommendation

It is recommended to update n8n to version 1.123.15 or 2.5.0 to patch this vulnerability and to implement additional security mechanisms for webhooks.

Original NVD description (English source)

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS