CVE-2026-56357 n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger

🗓️ 22 Jun 2026 21:04:52Reported by VulnCheckType

CVE-2026-56357: n8n Webhook Trigger lacks HMAC verification, enabling unsigned post forgery.

Reporter	Title	Published	Views	Family All 7
ATTACKERKB	CVE-2026-56357	22 Jun 202621:04	–	attackerkb
CVE	CVE-2026-56357	22 Jun 202621:04	–	cve
EUVD	EUVD-2026-38377	22 Jun 202621:04	–	euvd
Github Security Blog	n8n: Webhook Forgery on Github Webhook Trigger	26 Feb 202615:58	–	github
NVD	CVE-2026-56357	22 Jun 202622:16	–	nvd
OSV	GHSA-MQPR-49JJ-32RC n8n: Webhook Forgery on Github Webhook Trigger	26 Feb 202615:58	–	osv
Positive Technologies	PT-2026-51415	22 Jun 202600:00	–	ptsecurity

[
  {
    "vendor": "n8n",
    "product": "n8n",
    "defaultStatus": "unaffected",
    "packageURL": "pkg:npm/n8n",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "versionType": "semver",
        "lessThan": "1.123.15"
      },
      {
        "version": "1.123.15",
        "status": "unaffected",
        "versionType": "semver"
      },
      {
        "version": "2.0.0",
        "status": "affected",
        "versionType": "semver",
        "lessThan": "2.5.0"
      },
      {
        "version": "2.5.0",
        "status": "unaffected",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
vulncheck	www.vulncheck.com/advisories/n8n-webhook-forgery-via-missing-hmac-sha256-signature-verification-in-github-webhook-trigger
github	www.github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc

22 Jun 2026 21:04Current

CVSS 3.14

CVSS 46.3

CWE-290