Impact
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger nodes did not validate inbound requests. This flaw allows an unauthenticated attacker who knows a workflow's webhook URL to submit a forged payload, causing the workflow to run with attacker‑controlled data and enabling unauthorized actions. The vulnerability is an Authentication Failure (CWE‑290) and has been fixed in versions 2.25.7 and 2.26.2.
Affected Systems
The issue affects the n8n automation platform (n8n-io/n8n) in all versions released before 2.25.7 and before 2.26.2. Administrators should verify that their deployment is not using a vulnerable release.
Risk and Exploitability
With a CVSS score of 6.3, the exploit poses moderate risk. The EPSS score is not available, so the likelihood of real‑world exploitation remains unclear, but an attacker who gains knowledge of the webhook URL can trigger the flaw. The vulnerability is not listed in the CISA KEV catalog. Given its network‑based nature, systems exposed to the internet are most susceptible, and any workflow that can perform privileged actions may be abused.
OpenCVE Enrichment
Github GHSA