Description
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n before version 1.123.15 and 2.5.0 has a missing HMAC‑SHA256 signature check in its GitHub Webhook Trigger node. Attackers who can obtain the public webhook URL can forge POST requests that the system treats as authentic GitHub events, causing arbitrary workflows to run with the supplied payload. This flaw allows an attacker to execute arbitrary code or capture data that the workflow is permitted to handle, representing a breach of confidentiality, integrity, or availability.

Affected Systems

The vulnerability affects installations of the n8n automation platform prior to release 1.123.15 or 2.5.0. Any instance exposing a GitHub webhook trigger endpoint that does not enforce HMAC verification is susceptible.

Risk and Exploitability

The CVSS v3 score of 6.3 indicates a medium severity vulnerability. Because the attack vector is remote and requires only knowledge of the publicly exposed webhook URL, the risk of exploitation is non‑trivial. EPSS does not provide a probability, and the issue is not listed in the CISA KEV catalog, but the lack of cryptographic validation (CWE‑290) makes the vulnerability a likely target for attackers willing to reach an exposed n8n instance.

Generated by OpenCVE AI on June 22, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to a version that includes the HMAC‑SHA256 verification fix (at least 1.123.15 or 2.5.0).
  • Verify that the GitHub Webhook Trigger node is configured to enforce signature verification and that a signing secret is set.
  • Add network‑level restrictions, such as firewall rules or IP whitelisting, to limit access to the webhook endpoint to known GitHub hosts or other trusted sources.

Generated by OpenCVE AI on June 22, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mqpr-49jj-32rc n8n: Webhook Forgery on Github Webhook Trigger
History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
Title n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger
First Time appeared N8n
N8n n8n
Weaknesses CWE-290
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Vendors & Products N8n
N8n n8n
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:52.333Z

Reserved: 2026-06-20T21:16:53.711Z

Link: CVE-2026-56357

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T02:30:16Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing