CVE-2026-21894

Name of the Vulnerable Software and Affected Versions n8n versions 0.150.0 through 2.2.1

Description n8n is a workflow automation platform. A flaw in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger node creates a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. Consequently, any HTTP client with knowledge of the webhook URL can send a POST request with a matching event type, causing the workflow to execute as if a legitimate Stripe event occurred. This impacts n8n users with active workflows utilizing the Stripe Trigger node. An attacker could potentially simulate payment or subscription events, influencing downstream workflow behavior. The risk is lessened by the webhook URL containing a high-entropy UUID, though authenticated n8n users with workflow access can view this ID. The affected component is the Stripe Trigger node.

Recommendations Versions 0.150.0 through 2.2.1 should be updated to version 2.2.2 or later. As a temporary workaround, deactivate affected workflows. Restrict access to workflows containing Stripe Trigger nodes to trusted users only.