n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| N8n | N8n | * | 2.25.7 (excluding) |
| N8n | N8n | 2.26.0 (including) | 2.26.2 (excluding) |