GHSA-mqpr-49jj-32rc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mqpr-49jj-32rc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mqpr-49jj-32rc/GHSA-mqpr-49jj-32rc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mqpr-49jj-32rc
- Published
- 2026-02-26T15:58:34Z
- Modified
- 2026-02-26T16:17:34.791595Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
- Summary
- n8n: Webhook Forgery on Github Webhook Trigger
- Details
-
Impact
An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node did not implement the HMAC-SHA256 signature verification that GitHub provides to authenticate webhook deliveries, allowing any party to spoof GitHub webhook events.
Patches
The issue has been fixed in n8n versions 2.5.0 and 1.123.15. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Restrict network access to the n8n webhook endpoint to known GitHub webhook IP ranges.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
- Database specific
{ "github_reviewed_at": "2026-02-26T15:58:34Z", "nvd_published_at": null, "cwe_ids": [ "CWE-290" ], "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
npm / n8n
Package
- Name
- n8n
- View open source insights on deps.dev
- Purl
- pkg:npm/n8n
npm / n8n
Package
- Name
- n8n
- View open source insights on deps.dev
- Purl
- pkg:npm/n8n