PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56357 n8n CVE debrief

CVE-2026-56357 is a medium-severity vulnerability in n8n, a workflow automation tool. The vulnerability exists in the GitHub Webhook Trigger node and allows attackers to send unsigned POST requests to trigger workflows with arbitrary data, effectively spoofing GitHub webhook events. This can be done by attackers who know the webhook URL. The vulnerability has a CVSS score of 6.3 and is classified as MEDIUM. The affected versions are n8n before 1.123.15 and 2.5.0. Users should update to the latest version to mitigate this vulnerability.

Vendor
n8n
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-22
Original CVE updated
2026-06-24
Advisory published
2026-06-22
Advisory updated
2026-06-24

Who should care

Users of n8n, especially those who use the GitHub Webhook Trigger node, should be aware of this vulnerability. If your workflows rely on GitHub webhook events, you are at risk of potential spoofing attacks. Security teams and administrators responsible for maintaining n8n installations should prioritize updating to a secure version.

Technical summary

The GitHub Webhook Trigger node in n8n before 1.123.15 and 2.5.0 does not properly implement HMAC-SHA256 signature verification for incoming webhook requests. This omission allows an attacker with knowledge of a webhook URL to craft and send unsigned POST requests that can trigger workflows with arbitrary data. The requests can spoof GitHub webhook events, potentially leading to unauthorized actions within the n8n workflows. The vulnerability is characterized by a CVSS:4.0 vector of AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, resulting in a CVSS score of 6.3, which is classified as MEDIUM.

Defensive priority

This vulnerability should be prioritized for remediation, especially in environments where the GitHub Webhook Trigger node is used extensively or where the potential impact of workflow spoofing is high. Given the medium severity, it is recommended to update to a secure version of n8n as soon as possible.

Recommended defensive actions

  • Update n8n to version 1.123.15 or later for installations using versions before 1.123.15.
  • Update n8n to version 2.5.0 or later for installations using versions before 2.5.0, ensuring that the update includes the fix for the webhook forgery vulnerability.
  • Review and restrict access to webhook URLs to minimize the risk of unauthorized access.
  • Implement additional monitoring and logging for workflows triggered by GitHub webhook events to detect potential spoofing attempts.
  • Consider temporarily disabling affected nodes or workflows until a patch can be applied, if feasible.

Evidence notes

The CVE-2026-56357 vulnerability was made public on 2026-06-22T22:16:52.510Z. The vulnerability affects n8n versions before 1.123.15 and 2.5.0. The CVSS score is 6.3, indicating a medium severity level. The vulnerability allows for webhook forgery due to missing HMAC-SHA256 signature verification in the GitHub Webhook Trigger node. Official references include the CVE record and NVD detail pages.

Official resources

This article is AI-assisted and based on the supplied source corpus.