Description
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger nodes did not validate inbound requests. This flaw allows an unauthenticated attacker who knows a workflow's webhook URL to submit a forged payload, causing the workflow to run with attacker‑controlled data and enabling unauthorized actions. The vulnerability is an Authentication Failure (CWE‑290) and has been fixed in versions 2.25.7 and 2.26.2.

Affected Systems

The issue affects the n8n automation platform (n8n-io/n8n) in all versions released before 2.25.7 and before 2.26.2. Administrators should verify that their deployment is not using a vulnerable release.

Risk and Exploitability

With a CVSS score of 6.3, the exploit poses moderate risk. The EPSS score is not available, so the likelihood of real‑world exploitation remains unclear, but an attacker who gains knowledge of the webhook URL can trigger the flaw. The vulnerability is not listed in the CISA KEV catalog. Given its network‑based nature, systems exposed to the internet are most susceptible, and any workflow that can perform privileged actions may be abused.

Generated by OpenCVE AI on June 24, 2026 at 11:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.25.7 or 2.26.2 or later to install the fixed code.
  • Restrict network access to the webhook URLs by limiting IP ranges or placing them behind a firewall.
  • Implement additional authentication, such as a shared secret or custom header token, to validate incoming webhook requests before processing.

Generated by OpenCVE AI on June 24, 2026 at 11:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jvc7-762p-3743 n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.
Title n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:59:08.481Z

Reserved: 2026-06-12T18:42:02.222Z

Link: CVE-2026-54308

cve-icon Vulnrichment

Updated: 2026-06-24T13:59:01.262Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing