CVE-2026-56357
Received Received - Intake
GitHub Webhook Forgery in n8n

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulnCheck

Description
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56357
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
n8n n8n to 1.123.15|start_including=2.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in n8n versions before 1.123.15 and 2.5.0 in the GitHub Webhook Trigger node. It is a webhook forgery vulnerability caused by the failure to implement HMAC-SHA256 signature verification. As a result, attackers who know the webhook URL can send unsigned POST requests that trigger workflows with arbitrary data, effectively spoofing GitHub webhook events.

Impact Analysis

The impact of this vulnerability is that an attacker can trigger workflows in n8n by sending forged webhook requests without proper authentication. This can lead to unauthorized execution of workflows with arbitrary data, potentially causing unintended actions or data manipulation within the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56357. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart