← Back
2026-06-22 21:4CVE-2026-56357VulnCheck
PUBLISHED5.2CWE-290

n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

Problem type

Affected products

n8n

n8n

< 1.123.15 - AFFECTED

1.123.15 - UNAFFECTED

< 2.5.0 - AFFECTED

2.5.0 - UNAFFECTED

References

GitHub Security Advisory (GHSA-mqpr-49jj-32rc)

https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc

vendor-advisory
VulnCheck Advisory: n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger

https://www.vulncheck.com/advisories/n8n-webhook-forgery-via-missing-hmac-sha256-signature-verification-in-github-webhook-trigger

third-party-advisory

GitHub Security Advisories

GHSA-mqpr-49jj-32rc

n8n: Webhook Forgery on Github Webhook Trigger

https://github.com/advisories/GHSA-mqpr-49jj-32rc

Impact

An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node did not implement the HMAC-SHA256 signature verification that GitHub provides to authenticate webhook deliveries, allowing any party to spoof GitHub webhook events.

Patches

The issue has been fixed in n8n versions 2.5.0 and 1.123.15. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Limit workflow creation and editing permissions to fully trusted users only.
  • Restrict network access to the n8n webhook endpoint to known GitHub webhook IP ranges.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

github.com

https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc

github.com

https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578

github.com

https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36

github.com

https://github.com/advisories/GHSA-mqpr-49jj-32rc

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-56357
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-56357",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-06-22T21:04:52.333Z",
    "dateReserved": "2026-06-20T21:16:53.711Z",
    "datePublished": "2026-06-22T21:04:52.333Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-06-22T21:04:52.333Z"
      },
      "datePublic": "2026-02-25T00:00:00.000Z",
      "title": "n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger",
      "descriptions": [
        {
          "lang": "en",
          "value": "n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events."
        }
      ],
      "affected": [
        {
          "vendor": "n8n",
          "product": "n8n",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "1.123.15"
            },
            {
              "version": "1.123.15",
              "status": "unaffected",
              "versionType": "semver"
            },
            {
              "version": "2.0.0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "2.5.0"
            },
            {
              "version": "2.5.0",
              "status": "unaffected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Authentication Bypass by Spoofing",
              "cweId": "CWE-290",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc",
          "name": "GitHub Security Advisory (GHSA-mqpr-49jj-32rc)",
          "tags": [
            "vendor-advisory"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/n8n-webhook-forgery-via-missing-hmac-sha256-signature-verification-in-github-webhook-trigger",
          "name": "VulnCheck Advisory: n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "HIGH",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "simonkoeck",
          "type": "reporter"
        }
      ]
    }
  }
}