Description
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in n8n’s MicrosoftAgent365Trigger and StripeTrigger nodes, which lack validation of inbound webhook requests. An attacker who knows a workflow’s webhook URL can forge a payload that is accepted and processed, causing the workflow to execute with attacker‑controlled data. This flaw is an Authentication Failure (CWE-290) that can lead to unintended workflow actions. The flaw was fixed in n8n 2.25.7 and 2.26.2.

Affected Systems

The issue affects the n8n automation platform (n8n-io/n8n) in all versions released before 2.25.7 and before 2.26.2. Administrators should verify that their deployment is not using a vulnerable release.

Risk and Exploitability

With a CVSS score of 6.3, the exploit poses moderate risk. The EPSS score is not available, so the likelihood of real‑world exploitation remains unclear, but an attacker who gains knowledge of the webhook URL can trigger the flaw. The vulnerability is not listed in the CISA KEV catalog. Given its network‑based nature, systems exposed to the internet are most susceptible, and any workflow that can perform privileged actions may be abused.

Generated by OpenCVE AI on June 23, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.25.7 or 2.26.2 or later to install the fixed code.
  • Restrict network access to the webhook URLs by limiting IP ranges or placing them behind a firewall.
  • Implement additional authentication, such as a shared secret or custom header token, to validate incoming webhook requests before processing.

Generated by OpenCVE AI on June 23, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jvc7-762p-3743 n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
History

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.
Title n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:42:39.342Z

Reserved: 2026-06-12T18:42:02.222Z

Link: CVE-2026-54308

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T22:15:04Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing