PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56360 n8n CVE debrief

The CVE record for CVE-2026-56360 was published on 2026-07-08T14:17:16.757Z. n8n, a workflow automation tool, is vulnerable to webhook forgery in its ZendeskTrigger node due to the failure to verify HMAC-SHA256 signatures on incoming Zendesk webhooks. This oversight allows attackers who know the webhook URL to send unsigned POST requests, potentially triggering workflows with arbitrary malicious data. The vulnerability affects n8n versions before 1.123.18 and 2.6.2, and users of these versions who utilize the ZendeskTrigger node with Zendesk webhooks should verify their configurations and update to a patched version to prevent potential malicious data injection.

Vendor
n8n
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of n8n versions before 1.123.18 and 2.6.2 who utilize the ZendeskTrigger node with Zendesk webhooks should verify their configurations and update to a patched version to prevent potential malicious data injection. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their environments and take necessary actions.

Technical summary

n8n, a workflow automation tool, is vulnerable to webhook forgery in its ZendeskTrigger node. The issue arises from the failure to verify HMAC-SHA256 signatures on incoming Zendesk webhooks. This oversight allows attackers who know the webhook URL to send unsigned POST requests, potentially triggering workflows with arbitrary malicious data. The vulnerability affects n8n versions before 1.123.18 and 2.6.2. To mitigate this risk, users should update to a patched version and verify their configurations.

Defensive priority

Medium priority should be given to updating n8n instances to versions 1.123.18 or 2.6.2, or later, to mitigate the risk of webhook forgery and potential data injection attacks. Additionally, defenders should review the affected scope, severity, and vendor guidance to assess the impact on their environments.

Recommended defensive actions

  • Update n8n to version 1.123.18 or 2.6.2, or later.
  • Verify and validate all webhook URLs and configurations.
  • Implement additional monitoring for suspicious workflow triggers.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record and NVD details indicate that n8n versions before 1.123.18 and 2.6.2 are vulnerable. Users should consult the official advisories and documentation for detailed mitigation steps. It is crucial to verify the configurations of the ZendeskTrigger node and ensure that HMAC-SHA256 signatures are properly validated to prevent potential malicious data injection. Additionally, defenders should review the affected scope, severity, and vendor guidance to assess the impact on their environments.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:16.757Z and has not been modified since then. The NVD entry is currently Analyzed.