Skip to main content

n8n EUVDEUVD-2026-38377

| CVE-2026-56357 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-06-22 VulnCheck
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AC:H reflects the attack requirement of knowing the non-public webhook URL; no authentication, no confidentiality or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 22, 2026 - 23:02 EUVD
Source Code Evidence Fetched
Jun 22, 2026 - 22:23 vuln.today
Analysis Generated
Jun 22, 2026 - 22:23 vuln.today

DescriptionCVE.org

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

AnalysisAI

Webhook forgery in n8n's GitHub Webhook Trigger node allows unauthenticated remote attackers to spoof GitHub events and trigger arbitrary workflow execution by sending unsigned POST requests to any known webhook URL. The root cause is a complete absence of HMAC-SHA256 signature verification - the cryptographic control GitHub provides specifically to authenticate webhook deliveries - meaning n8n accepted all inbound POST traffic without validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain target webhook URL via leak or recon
Delivery
Craft POST body mimicking GitHub event schema
Exploit
Send unsigned HTTP POST to webhook endpoint
Execution
n8n skips signature check and accepts request
Persist
Workflow executes with attacker-controlled payload data
Impact
Downstream workflow actions triggered on spoofed input

Vulnerability AssessmentAI

Exploitation The attacker must know the exact webhook URL assigned to a specific n8n workflow using the GitHub Webhook Trigger node - this URL is generated per workflow and is not guessable without prior access or information leakage. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 reflects a moderate-priority vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a target n8n instance's GitHub Webhook Trigger URL - via leaked repository configuration, public commit history, or internal reconnaissance - crafts a POST request mimicking a GitHub push or pull_request event payload and sends it directly to the endpoint without any signature header. The n8n node accepts the request, parses the attacker-controlled JSON body as a legitimate GitHub event, and executes the associated workflow with the injected data, potentially invoking downstream actions such as CI/CD pipeline triggers, API calls, or data transformations with attacker-supplied parameters.
Remediation Vendor-released patches are available: upgrade to n8n 1.123.15 (v1 branch) or n8n 2.5.0 (v2 branch) per the GHSA-mqpr-49jj-32rc advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

EUVD-2026-38377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy