CVE-2026-54308: n8n unauthed webhook bypass hijacks

Q: Is CVE-2026-54308 actively exploited?

No confirmed active exploitation of CVE-2026-54308 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54308?

1. Patch: Upgrade n8n to 2.25.7 or 2.26.2 immediately — these releases add inbound request validation to the affected trigger nodes. 2. Temporary workaround if patching is blocked: deactivate all workflows using MicrosoftAgent365Trigger or StripeTrigger nodes. 3. Restrict network access to the n8n webhook endpoint (default port 5678) to trusted source IPs via firewall or reverse proxy ACL. 4. Audit all active webhook URLs — rotate URLs for workflows that may have been exposed. 5. Review webhook activity logs for anomalous trigger patterns (unexpected source IPs, malformed or unusual payloads) as indicators of prior exploitation. 6. Implement egress controls on the n8n host to limit unauthorized outbound calls if forged workflow execution is detected.

Q: What systems are affected by CVE-2026-54308?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, agentic automation pipelines, LLM tool-calling integrations, webhook-triggered AI workflows.

Q: What is the CVSS score for CVE-2026-54308?

CVE-2026-54308 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 0.05%.

CISO Take

n8n's MicrosoftAgent365Trigger and StripeTrigger nodes accept inbound webhook requests without any authentication validation, allowing an unauthenticated attacker who knows or discovers the webhook URL to submit a forged payload and drive workflow execution with fully attacker-controlled data. For organizations using n8n to orchestrate AI agents — connecting LLMs, external APIs, and business systems — this means adversary-supplied inputs flow unchecked through the entire automation chain, enabling prompt injection into LLM nodes, unauthorized tool invocations, lateral movement via connected APIs, or data exfiltration from integrated services. With no credentials or privileges required (AV:N/AC:L/PR:N/UI:N), EPSS placing this in the top 83rd percentile for exploitation likelihood, and 95 prior CVEs in the same package indicating a well-targeted attack surface, the barrier to exploit is minimal once a URL is known. Patch immediately to n8n 2.25.7 or 2.26.2; if patching is not feasible, deactivate workflows using the affected trigger nodes and restrict webhook endpoint network access to trusted IP ranges.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

High risk for organizations deploying n8n as an AI workflow orchestrator. No authentication, no privileges, and no user interaction are required — only knowledge or discovery of a webhook URL. The CVSS scope is Changed (S:C), confirming that exploitation impacts resources beyond the vulnerable component itself, including connected AI services, data stores, and external APIs. With EPSS at top 83rd percentile and 95 prior CVEs in this package, n8n represents a mature and persistent attack target. No public exploit code or CISA KEV listing exists yet, but the trivial exploitation barrier means time-to-exploit is low once a URL is obtained via scanning or insider knowledge.

How does the attack unfold?

Reconnaissance

Adversary scans Shodan/Censys for exposed n8n instances and enumerates or discovers active webhook URLs for MicrosoftAgent365Trigger or StripeTrigger nodes via common path patterns or leaked configuration.

AML.T0006

Initial Access

Adversary submits a forged POST payload to the unauthenticated webhook endpoint, bypassing all authentication controls and triggering workflow execution with attacker-controlled data.

AML.T0049

Agent Tool Invocation

n8n workflow executes with attacker-supplied data flowing through all configured nodes — LLM calls, API integrations, email nodes, and data store operations — without any validation of the triggering event's legitimacy.

AML.T0053

Impact

Attacker achieves data exfiltration from connected services, unauthorized financial event simulation via Stripe integrations, or prompt injection into LLM nodes to escalate control over downstream AI agent actions.

AML.T0086

Reconnaissance

Adversary scans Shodan/Censys for exposed n8n instances and enumerates or discovers active webhook URLs for MicrosoftAgent365Trigger or StripeTrigger nodes via common path patterns or leaked configuration.

AML.T0006

Initial Access

Adversary submits a forged POST payload to the unauthenticated webhook endpoint, bypassing all authentication controls and triggering workflow execution with attacker-controlled data.

AML.T0049

Agent Tool Invocation

n8n workflow executes with attacker-supplied data flowing through all configured nodes — LLM calls, API integrations, email nodes, and data store operations — without any validation of the triggering event's legitimacy.

AML.T0053

Impact

Attacker achieves data exfiltration from connected services, unauthorized financial event simulation via Stripe integrations, or prompt injection into LLM nodes to escalate control over downstream AI agent actions.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.26.0, < 2.26.2	`2.26.2`
192.4K OpenSSF 6.5 Pushed 2d ago 51% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

7.2 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C Low

I Low

A None

What should I do?

6 steps

Patch: Upgrade n8n to 2.25.7 or 2.26.2 immediately — these releases add inbound request validation to the affected trigger nodes.
Temporary workaround if patching is blocked: deactivate all workflows using MicrosoftAgent365Trigger or StripeTrigger nodes.
Restrict network access to the n8n webhook endpoint (default port 5678) to trusted source IPs via firewall or reverse proxy ACL.
Audit all active webhook URLs — rotate URLs for workflows that may have been exposed.
Review webhook activity logs for anomalous trigger patterns (unexpected source IPs, malformed or unusual payloads) as indicators of prior exploitation.
Implement egress controls on the n8n host to limit unauthorized outbound calls if forged workflow execution is detected.

How is it classified?

Auth Bypass Code Execution Data Extraction Agent Framework Plugin AML.T0006 - Active Scanning AML.T0034.002 - Agentic Resource Consumption AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0108 - AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.1 - AI system security measures

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of AI system throughout lifecycle

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54308?

n8n's MicrosoftAgent365Trigger and StripeTrigger nodes accept inbound webhook requests without any authentication validation, allowing an unauthenticated attacker who knows or discovers the webhook URL to submit a forged payload and drive workflow execution with fully attacker-controlled data. For organizations using n8n to orchestrate AI agents — connecting LLMs, external APIs, and business systems — this means adversary-supplied inputs flow unchecked through the entire automation chain, enabling prompt injection into LLM nodes, unauthorized tool invocations, lateral movement via connected APIs, or data exfiltration from integrated services. With no credentials or privileges required (AV:N/AC:L/PR:N/UI:N), EPSS placing this in the top 83rd percentile for exploitation likelihood, and 95 prior CVEs in the same package indicating a well-targeted attack surface, the barrier to exploit is minimal once a URL is known. Patch immediately to n8n 2.25.7 or 2.26.2; if patching is not feasible, deactivate workflows using the affected trigger nodes and restrict webhook endpoint network access to trusted IP ranges.

Is CVE-2026-54308 actively exploited?

No confirmed active exploitation of CVE-2026-54308 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54308?

1. Patch: Upgrade n8n to 2.25.7 or 2.26.2 immediately — these releases add inbound request validation to the affected trigger nodes. 2. Temporary workaround if patching is blocked: deactivate all workflows using MicrosoftAgent365Trigger or StripeTrigger nodes. 3. Restrict network access to the n8n webhook endpoint (default port 5678) to trusted source IPs via firewall or reverse proxy ACL. 4. Audit all active webhook URLs — rotate URLs for workflows that may have been exposed. 5. Review webhook activity logs for anomalous trigger patterns (unexpected source IPs, malformed or unusual payloads) as indicators of prior exploitation. 6. Implement egress controls on the n8n host to limit unauthorized outbound calls if forged workflow execution is detected.

What systems are affected by CVE-2026-54308?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, agentic automation pipelines, LLM tool-calling integrations, webhook-triggered AI workflows.

What is the CVSS score for CVE-2026-54308?

CVE-2026-54308 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 0.05%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow orchestrationagentic automation pipelinesLLM tool-calling integrationswebhook-triggered AI workflows

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0034.002 Agentic Resource Consumption

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Impact The `MicrosoftAgent365Trigger` and `StripeTrigger` node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. ## Patches The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Deactivate any workflows using the Microsoft Agent 365 Trigger node or Stripe Trigger node until the instance can be upgraded. - Restrict network access to the n8n webhook endpoint to trusted sources only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary performs passive reconnaissance via Shodan or Censys, identifying internet-exposed n8n instances running the vulnerable version. They probe for active webhook paths by guessing common n8n URL patterns or discovering them via leaked configuration files or source repositories. The attacker crafts a POST request mimicking a legitimate Microsoft 365 notification or Stripe event payload and submits it to the unauthenticated endpoint. The n8n workflow executes without challenge, processing attacker-controlled data through all configured nodes. In an AI agent context, the attacker injects prompt instructions into data fields processed by an LLM node, causing the agent to exfiltrate sensitive workflow context, send phishing emails via connected email nodes, modify records in integrated databases, or invoke downstream tool calls on behalf of the attacker — all within the trust context of the legitimate workflow.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing Primary

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.