Description
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.
Published: 2026-01-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Execution of Workflows
Action: Update Immediately
AI Analysis

Impact

An authentication bypass flaw in n8n’s Stripe Trigger node permits an unauthenticated user to simulate Stripe webhook events. Because incoming webhook requests are not verified against a stored signing secret, any HTTP client that knows the webhook’s endpoint can POST a fabricated event, causing the associated workflow to run as if a legitimate Stripe notification had been received. The flaw is an instance of authentication bypass (CWE‑290) and can be used to feign payment or subscription actions, potentially altering downstream workflow flows.

Affected Systems

The vulnerability affects n8n versions from 0.150.0 through 2.2.1, inclusive. Any deployment running one or more active workflows that incorporate a Stripe Trigger node before the 2.2.2 release is susceptible, regardless of whether the webhook URL is protected. Although the URL contains a high‑entropy UUID, it is viewable to any authenticated user who can access the workflow, thereby reducing practical barriers for an attacker.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate level of risk, and the EPSS score of less than 1 percent suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires simply knowing the webhook URL and sending a POST request that mimics a valid Stripe event type; no software exploits or privileged access are required. Because no verification of the Stripe signature occurs, a crafted request will be accepted and the workflow executed under the privileges of the deployment.

Generated by OpenCVE AI on April 18, 2026 at 07:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.2.2 or later to apply the official patch.
  • If an upgrade is not yet possible, temporarily deactivate any workflows that use the Stripe Trigger node.
  • Restrict access to workflows containing Stripe Trigger nodes so that only trusted users can view the webhook URL and manage the workflow.

Generated by OpenCVE AI on April 18, 2026 at 07:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jf52-3f2h-h9j5 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
History

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.
Title n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T14:42:36.631Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21894

cve-icon Vulnrichment

Updated: 2026-01-08T14:42:31.684Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T10:15:55.970

Modified: 2026-01-20T15:09:07.647

Link: CVE-2026-21894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses