n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes

Vulnerability

The MicrosoftAgent365Trigger and StripeTrigger nodes in n8n do not validate inbound requests. An unauthenticated attacker who knows the webhook URL can submit a forged payload, causing the workflow to execute with attacker-controlled data. This affects n8n versions prior to 2.25.7 and 2.26.2 [1][2].

Exploitation

An attacker needs only knowledge of the webhook URL (no authentication or user interaction). By sending a crafted HTTP request to the webhook endpoint, the attacker can inject arbitrary data into the workflow execution [1][2].

Impact

Successful exploitation allows the attacker to control the data processed by the workflow, potentially leading to information disclosure or limited integrity impact (CVSS 3.1: 6.1, AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) [1][2].

Mitigation

The issue is fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to these or later versions. If immediate upgrade is not possible, administrators can temporarily deactivate workflows using the affected nodes or restrict network access to the webhook endpoint to trusted sources [1][2].