Webhook Forgery Vulnerability in n8n by n8n-io
CVE-2026-56360

6.3MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56360?

n8n before versions 1.123.18 and 2.6.2 contains a vulnerability where the ZendeskTrigger node does not properly verify HMAC-SHA256 signatures on incoming webhooks. This oversight allows attackers who possess the webhook URL to send unauthorized, unsigned POST requests, potentially triggering workflows with harmful data. This vulnerability emphasizes the importance of validating webhook signatures to secure automated processes against exploitation.

Affected Version(s)

n8n 0 < 1.123.18

n8n 2.0.0 < 2.6.2

n8n 1.123.18

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

nkoorty
jjjutla
.