Home

Description

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
MEDIUM: 4.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Problem types

Authentication Bypass by Spoofing

Product status

Default status
unaffected

Any version before 1.123.18
affected

1.123.18 (semver)
unaffected

2.0.0 (semver) before 2.6.2
affected

2.6.2 (semver)
unaffected

Credits

nkoorty reporter

jjjutla reporter

References

github.com/...io/n8n/security/advisories/GHSA-38c7-23hj-2wgq (GitHub Security Advisory (GHSA-38c7-23hj-2wgq)) vendor-advisory

www.vulncheck.com/...nsigned-post-requests-in-zendesktrigger (VulnCheck Advisory: n8n - Webhook Forgery via Unsigned POST Requests in ZendeskTrigger) third-party-advisory

cve.org (CVE-2026-56360)

nvd.nist.gov (CVE-2026-56360)

Download JSON