Moderate severityNVD Advisory· Published Jun 22, 2026
n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger
CVE-2026-56357
Description
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
n8nnpm | < 1.123.15 | 1.123.15 |
n8nnpm | >= 2.0.0, < 2.5.0 | 2.5.0 |
Affected products
1Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-mqpr-49jj-32rcghsaADVISORY
- github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rcghsavendor-advisoryWEB
- www.vulncheck.com/advisories/n8n-webhook-forgery-via-missing-hmac-sha256-signature-verification-in-github-webhook-triggermitrethird-party-advisory
- github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578ghsaWEB
- github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36ghsaWEB
News mentions
0No linked articles in our index yet.