CVE-2026-21894 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

If your team uses n8n for AI workflow automation, any active Stripe Trigger workflow is exposed to unauthorized execution via forged webhook events — upgrade to 2.2.2 immediately or deactivate affected workflows now. The risk is highest in environments where n8n orchestrates AI agents with access to sensitive downstream systems, financial logic, or provisioning actions. Do not rely on URL obscurity as a control.

Risk Assessment

Effective risk is medium-high for organizations using n8n as an AI agent orchestrator. The high-entropy UUID reduces opportunistic exploitation but is not a security control — any authenticated n8n user with workflow read access can extract the webhook URL. In agent-heavy deployments, unauthorized triggers can cascade into AI-driven actions far beyond the CVSS 6.5 score implies: think automated provisioning, LLM-driven decision trees, or third-party API calls executed under the assumption of a valid payment event.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C Low

I High

A None

Recommended Action

5 steps

PATCH

Upgrade n8n to version 2.2.2 immediately — this is a one-line fix.
INTERIM

Deactivate all workflows using the Stripe Trigger node until patched.
ACCESS CONTROL

Restrict workflow view permissions to trusted users only — the webhook UUID is visible to any authenticated n8n user and cannot be rotated without recreating the webhook.
AUDIT

Inventory all Stripe Trigger workflows and assess downstream blast radius (provisioning, financial writes, AI agent tool invocations).
DETECT

Cross-reference n8n workflow execution logs against actual Stripe dashboard events — any Stripe Trigger firing without a matching Stripe event ID is suspicious.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Agent Framework AML.T0012 - Valid Accounts AML.T0048.000 - Financial Harm AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0108 - AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.6 - AI system access control and authentication A.9.3 - AI System Access Control

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for AI cybersecurity commitments MANAGE 2.2 - Mechanisms ensure AI systems behave as intended

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-21894?

If your team uses n8n for AI workflow automation, any active Stripe Trigger workflow is exposed to unauthorized execution via forged webhook events — upgrade to 2.2.2 immediately or deactivate affected workflows now. The risk is highest in environments where n8n orchestrates AI agents with access to sensitive downstream systems, financial logic, or provisioning actions. Do not rely on URL obscurity as a control.

Is CVE-2026-21894 actively exploited?

No confirmed active exploitation of CVE-2026-21894 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-21894?

1. PATCH: Upgrade n8n to version 2.2.2 immediately — this is a one-line fix. 2. INTERIM: Deactivate all workflows using the Stripe Trigger node until patched. 3. ACCESS CONTROL: Restrict workflow view permissions to trusted users only — the webhook UUID is visible to any authenticated n8n user and cannot be rotated without recreating the webhook. 4. AUDIT: Inventory all Stripe Trigger workflows and assess downstream blast radius (provisioning, financial writes, AI agent tool invocations). 5. DETECT: Cross-reference n8n workflow execution logs against actual Stripe dashboard events — any Stripe Trigger firing without a matching Stripe event ID is suspicious.

What systems are affected by CVE-2026-21894?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, API integration layers.

What is the CVSS score for CVE-2026-21894?

CVE-2026-21894 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.

Exploitation Scenario

An attacker — either a disgruntled insider or an external actor who phished an n8n user account — extracts the Stripe webhook URL from workflow configuration. They craft an HTTP POST to that URL with a JSON body mimicking a Stripe payment_intent.succeeded event matching the workflow's expected event type. Without signature verification, n8n executes the workflow as if a legitimate payment occurred. Downstream AI agent actions fire: a LangChain or LlamaIndex agent is invoked, premium access is provisioned, database records are updated, or a multi-step agentic pipeline executes with the attacker controlling the triggering context. No Stripe account, no valid HMAC signature, no cryptographic material required.