CVE-2026-56357
Analyzed Analyzed - Analysis Complete

GitHub Webhook Forgery in n8n

Vulnerability report for CVE-2026-56357, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: VulnCheck

Description

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.15 (exc)
n8n n8n From 2.0.0 (inc) to 2.5.0 (exc)
n8n n8n to 1.123.15 (exc)
n8n n8n From 2.0.0 (inc) to 2.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in n8n versions before 1.123.15 and 2.5.0 in the GitHub Webhook Trigger node. It is a webhook forgery vulnerability caused by the failure to implement HMAC-SHA256 signature verification. As a result, attackers who know the webhook URL can send unsigned POST requests that trigger workflows with arbitrary data, effectively spoofing GitHub webhook events.

Impact Analysis

The impact of this vulnerability is that an attacker can trigger workflows in n8n by sending forged webhook requests without proper authentication. This can lead to unauthorized execution of workflows with arbitrary data, potentially causing unintended actions or data manipulation within the affected system.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the GitHub Webhook Trigger node in n8n failing to verify HMAC-SHA256 signatures, allowing unsigned POST requests to trigger workflows. Detection can focus on monitoring for unsigned POST requests sent to the webhook URL that normally should include a valid HMAC-SHA256 signature header.

You can detect potential exploitation attempts by inspecting web server or application logs for POST requests to the webhook endpoint that lack the expected signature header (usually 'X-Hub-Signature-256').

Example commands to detect such requests might include:

  • Using grep on logs to find POST requests missing the signature header: grep -i 'POST /webhook-endpoint' /var/log/nginx/access.log | grep -v 'X-Hub-Signature-256'
  • Using tcpdump or Wireshark to capture POST requests to the webhook URL and inspect headers for missing HMAC signatures.
  • Setting up intrusion detection rules to alert on POST requests to the webhook URL without the HMAC signature header.
Mitigation Strategies

Immediate mitigation steps include upgrading n8n to version 1.123.15 or later, or 2.5.0 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, temporary mitigations include restricting workflow permissions to trusted users only and limiting network access to the webhook endpoint to known GitHub IP ranges.

These mitigations reduce the risk but do not fully resolve the vulnerability, so upgrading remains the recommended action.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56357. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart