PT-2026-51415 · N8N · N8N

Simonkoeck

Published

2026-06-22

Updated

2026-06-22

CVE-2026-56357

CVSS v3.1

4.0

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2026-56357

Affected Products

N8N

PT-2026-51415 · N8N · N8N

CVE-2026-56357

Weakness Enumeration

Related Identifiers

Affected Products

References · 3