Description
n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data.
Problem types
Authentication Bypass by Spoofing
Product status
Any version before 1.123.18
1.123.18 (semver)
2.0.0 (semver) before 2.6.2
2.6.2 (semver)
Credits
nkoorty
jjjutla
References
github.com/...io/n8n/security/advisories/GHSA-38c7-23hj-2wgq (GitHub Security Advisory (GHSA-38c7-23hj-2wgq))
www.vulncheck.com/...nsigned-post-requests-in-zendesktrigger (VulnCheck Advisory: n8n - Webhook Forgery via Unsigned POST Requests in ZendeskTrigger)