CVE-2026-21894
Authentication Bypass in n8n Stripe Trigger Enables Workflow Manipulation
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | From 0.150.0 (inc) to 2.2.2 (exc) |
| n8n | n8n | 2.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to trigger workflows by sending forged Stripe webhook events, potentially faking payment or subscription events and manipulating downstream workflow behavior. Such unauthorized actions could lead to improper processing of personal or payment data, which may result in non-compliance with standards and regulations like GDPR or HIPAA that require data integrity and proper authentication controls. Therefore, the vulnerability poses a risk to compliance by undermining the authenticity and integrity of data processing workflows involving sensitive information. The issue has been fixed in version 2.2.2 by implementing proper Stripe webhook signature verification. [3]
Can you explain this vulnerability to me?
CVE-2026-21894 is an authentication bypass vulnerability in the Stripe Trigger node of the n8n workflow automation platform (versions 0.150.0 to before 2.2.2). The node creates and stores a Stripe webhook signing secret but does not verify incoming webhook requests against this secret. This allows unauthenticated attackers who know the webhook URL to send forged Stripe webhook events, causing workflows to execute as if legitimate Stripe events were received. Essentially, attackers can fake payment or subscription events and manipulate downstream workflow behavior. The vulnerability was fixed by implementing proper Stripe webhook signature verification using HMAC-SHA256 and timestamp validation to ensure authenticity and prevent replay attacks. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to trigger workflows in n8n without authentication by sending forged Stripe webhook events. This can lead to fake payment or subscription events being processed, potentially causing incorrect or malicious downstream workflow actions. Although the webhook URL contains a high-entropy UUID which reduces risk, authenticated users with access to workflows can view this URL, increasing exposure. The impact includes unauthorized manipulation of business processes automated by n8n workflows that rely on Stripe events. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on identifying unauthorized or forged Stripe webhook POST requests sent to the n8n Stripe Trigger webhook URL. Since the vulnerability allows unauthenticated parties to trigger workflows by sending forged webhook events, monitoring HTTP POST requests to the webhook endpoint URL for unusual or unexpected events can help detect exploitation attempts. Specifically, you can monitor web server or application logs for POST requests to the Stripe webhook URL that lack valid Stripe signature headers or originate from unexpected IP addresses. Commands to detect such activity might include: 1. Using grep or similar tools to search logs for POST requests to the webhook URL: `grep 'POST /webhook/stripe/' /var/log/nginx/access.log` 2. Filtering logs for missing or invalid Stripe-Signature headers (if logs capture headers): `grep -L 'Stripe-Signature' /var/log/nginx/access.log` 3. Using network monitoring tools like tcpdump or Wireshark to capture HTTP POST traffic to the webhook endpoint and analyze the presence and validity of Stripe-Signature headers. 4. Reviewing n8n workflow execution logs for unexpected or suspicious workflow triggers related to Stripe events. Note that the webhook URL contains a high-entropy UUID, so detection may require knowledge of the exact URL or monitoring all webhook endpoints. Implementing signature verification (as per the patch) is the best way to prevent unauthorized triggers and also helps in detection by rejecting invalid requests. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade n8n to version 2.2.2 or later, where the vulnerability is fixed by implementing Stripe webhook signature verification. 2. As a temporary workaround before upgrading, deactivate any workflows that use the Stripe Trigger node to prevent unauthorized triggering. 3. Restrict access to workflows containing Stripe Trigger nodes to trusted users only, minimizing the risk of the webhook URL being exposed. 4. Ensure that the Stripe webhook signing secret is properly configured in the Stripe API credentials within n8n to enable signature verification once upgraded. These steps reduce the risk of unauthorized workflow execution caused by forged Stripe webhook events. [3]