Skip to main content

n8n CVE-2026-54308

| EUVDEUVD-2026-38473 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-06-16 https://github.com/n8n-io/n8n GHSA-jvc7-762p-3743
6.3
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

AV:N (webhook is network-accessible), PR:N (no token or credential check exists), S:C (workflow execution cascades to downstream integrated systems), C:L/I:L (forged data injection with limited direct confidentiality exposure), A:N (no availability impact).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Jun 23, 2026 - 18:22 NVD
7.2 (MEDIUM) 6.3 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 19:21 vuln.today
Analysis Generated
Jun 16, 2026 - 19:21 vuln.today
CVE Published
Jun 16, 2026 - 19:00 github-advisory
MEDIUM 7.2

DescriptionCVE.org

Impact

The MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data.

Patches

The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Deactivate any workflows using the Microsoft Agent 365 Trigger node or Stripe Trigger node until the instance can be upgraded.
  • Restrict network access to the n8n webhook endpoint to trusted sources only.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Missing webhook request validation in n8n's MicrosoftAgent365Trigger and StripeTrigger nodes allows unauthenticated remote attackers who know the webhook URL to submit forged payloads and cause arbitrary workflow execution with attacker-controlled data. All n8n npm versions below 2.25.7 and versions 2.26.0-2.26.1 are affected when either node is actively used in a workflow. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:C scoring reflects low-complexity, unauthenticated network exploitation with a scope change indicating potential downstream impact on systems integrated with triggered workflows.

Technical ContextAI

n8n is an open-source workflow automation platform distributed as an npm package that processes external events through webhook-based trigger nodes. CWE-290 (Authentication Bypass by Spoofing) identifies the root cause: the MicrosoftAgent365Trigger and StripeTrigger nodes fail to perform cryptographic or token-based verification of inbound HTTP webhook requests before processing their payloads. Both Microsoft and Stripe provide HMAC signature or secret-token mechanisms to allow receiving endpoints to authenticate the origin of webhook calls - without validating these signatures, n8n cannot distinguish a legitimate platform event from a forged request by any party who possesses the endpoint URL. The affected CPE identifiers are pkg:npm/n8n covering all versions below 2.25.7 and the 2.26.0-2.26.1 range.

RemediationAI

The definitive fix is upgrading n8n to version 2.25.7 or 2.26.2 (or any later release), both of which contain the vendor-released patch restoring proper inbound request validation on the affected trigger nodes; see https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743 for patch details. If immediate upgrade is not feasible, the vendor recommends deactivating all workflows that use the MicrosoftAgent365Trigger or StripeTrigger nodes - this eliminates the exploitable attack surface but also halts legitimate webhook processing for those integrations, disrupting dependent automations. As a second workaround, restrict network access to the n8n webhook endpoint at the firewall or reverse-proxy layer, allowing only IP ranges published by Microsoft (via Azure Service Tags) and Stripe (via their documented webhook IP list); this substantially raises the bar for exploitation but does not remediate the underlying missing-validation flaw and may be circumvented if those IP ranges are spoofed or if the attacker has access from a trusted network segment. The vendor explicitly states neither workaround fully remediates risk.

Share

CVE-2026-54308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy