CVE-2026-56357: n8n webhook forgery enables

CISO Take

n8n's GitHub Webhook Trigger node skips HMAC-SHA256 signature validation, allowing any attacker who knows the webhook URL to send arbitrary POST requests that impersonate legitimate GitHub events and trigger registered workflows with attacker-controlled payloads. With n8n increasingly used to orchestrate AI agent pipelines — LLM API calls, automated enrichment, model deployment triggers — a spoofed event can silently activate high-privilege workflows, and the Scoped impact flag (S:C) means blast radius extends well beyond n8n itself to downstream AI systems. There is no public exploit or KEV listing, and high attack complexity (URL discovery) limits opportunistic exposure, but organizations with webhook URLs leaked in CI/CD logs, team chats, or via SSRF face meaningful risk. Patch to n8n ≥1.123.15 or ≥2.5.0 immediately; if patching is delayed, restrict webhook ingress to GitHub's published IP ranges and audit execution logs for unexpected activations.

Sources: NVD GitHub Advisory ATLAS OpenSSF VulnCheck

What is the risk?

The CVSS medium score (4.0) substantially understates risk in AI pipeline contexts. n8n workflows routinely carry high-privilege credentials and trigger consequential actions — LLM inference, data writes, deployments — far exceeding what the base score implies. Exploitation requires zero credentials and no user interaction once the URL is known, a realistic scenario given URL leakage in CI/CD logs, Slack exports, or SSRF vulnerabilities on internal services. The OpenSSF Scorecard of 6.6/10 and 109 prior CVEs in this package indicate a pattern of security debt. Risk is elevated for organizations where n8n serves as the automation backbone for AI agent pipelines handling sensitive data or privileged tool access.

How does the attack unfold?

Reconnaissance

Attacker discovers the n8n GitHub webhook URL via OSINT — leaked in public CI/CD logs, GitHub Actions workflow files, or team communication exports.

AML.T0095.000

Webhook Forgery

Attacker crafts a POST request with a spoofed GitHub event payload and sends it to the discovered webhook URL without a valid HMAC-SHA256 signature.

AML.T0049

Unauthorized Workflow Execution

n8n accepts the unsigned request and triggers the registered workflow with attacker-controlled event data injected as input to AI agent nodes.

AML.T0053

Impact

Attacker achieves unauthorized AI pipeline execution — triggering LLM API calls with injected content, consuming inference credits, exfiltrating agent context, or initiating unauthorized downstream deployments.

AML.T0034

Reconnaissance

Attacker discovers the n8n GitHub webhook URL via OSINT — leaked in public CI/CD logs, GitHub Actions workflow files, or team communication exports.

AML.T0095.000

Webhook Forgery

Attacker crafts a POST request with a spoofed GitHub event payload and sends it to the discovered webhook URL without a valid HMAC-SHA256 signature.

AML.T0049

Unauthorized Workflow Execution

n8n accepts the unsigned request and triggers the registered workflow with attacker-controlled event data injected as input to AI agent nodes.

AML.T0053

Impact

Attacker achieves unauthorized AI pipeline execution — triggering LLM API calls with injected content, consuming inference credits, exfiltrating agent context, or initiating unauthorized downstream deployments.

AML.T0034

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 2d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

4.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC High

PR None

UI None

S Changed

C None

I Low

A None

What should I do?

5 steps

Upgrade n8n to ≥1.123.15 (stable) or ≥2.5.0 (v2 branch) — this is the only complete remediation.
If patching is delayed, restrict webhook endpoint ingress to GitHub's published IP ranges via firewall or WAF (current ranges at https://api.github.com/meta).
Rotate all existing GitHub webhook URLs post-patch — URLs known prior to patching should be treated as compromised.
Audit n8n execution logs for webhook activations originating from non-GitHub source IPs or at anomalous times.
For high-privilege workflows (those invoking LLM APIs, writing to datastores, or triggering deployments), add manual approval steps as defense-in-depth until patching is complete.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.9.3 - AI system security testing

NIST AI RMF

MANAGE-2.4 - Residual risks and mitigations

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-56357?

n8n's GitHub Webhook Trigger node skips HMAC-SHA256 signature validation, allowing any attacker who knows the webhook URL to send arbitrary POST requests that impersonate legitimate GitHub events and trigger registered workflows with attacker-controlled payloads. With n8n increasingly used to orchestrate AI agent pipelines — LLM API calls, automated enrichment, model deployment triggers — a spoofed event can silently activate high-privilege workflows, and the Scoped impact flag (S:C) means blast radius extends well beyond n8n itself to downstream AI systems. There is no public exploit or KEV listing, and high attack complexity (URL discovery) limits opportunistic exposure, but organizations with webhook URLs leaked in CI/CD logs, team chats, or via SSRF face meaningful risk. Patch to n8n ≥1.123.15 or ≥2.5.0 immediately; if patching is delayed, restrict webhook ingress to GitHub's published IP ranges and audit execution logs for unexpected activations.

Is CVE-2026-56357 actively exploited?

No confirmed active exploitation of CVE-2026-56357 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56357?

1. Upgrade n8n to ≥1.123.15 (stable) or ≥2.5.0 (v2 branch) — this is the only complete remediation. 2. If patching is delayed, restrict webhook endpoint ingress to GitHub's published IP ranges via firewall or WAF (current ranges at https://api.github.com/meta). 3. Rotate all existing GitHub webhook URLs post-patch — URLs known prior to patching should be treated as compromised. 4. Audit n8n execution logs for webhook activations originating from non-GitHub source IPs or at anomalous times. 5. For high-privilege workflows (those invoking LLM APIs, writing to datastores, or triggering deployments), add manual approval steps as defense-in-depth until patching is complete.

What systems are affected by CVE-2026-56357?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Automated AI pipelines, CI/CD-integrated ML workflows, LLM orchestration platforms, Event-driven AI automation.

What is the CVSS score for CVE-2026-56357?

CVE-2026-56357 has a CVSS v3.1 base score of 4.0 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksAutomated AI pipelinesCI/CD-integrated ML workflowsLLM orchestration platformsEvent-driven AI automation

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

EU AI Act: Art.9

ISO 42001: A.9.3

NIST AI RMF: MANAGE-2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

Exploitation Scenario

An adversary targeting an organization using n8n to automate AI enrichment pipelines locates a GitHub webhook URL leaked in a public GitHub Actions workflow log. They craft a POST request with a valid-looking GitHub push event JSON payload referencing an internal branch name gleaned from repository metadata. Because n8n does not verify the HMAC-SHA256 signature, the request is accepted and triggers a workflow that calls the organization's LLM API with attacker-controlled commit diff content — potentially exfiltrating internal code snippets via LLM response logging, burning API credits, and injecting malicious data into downstream AI agent context. In a more targeted scenario, the spoofed push event triggers an automated model deployment workflow, pushing an unauthorized artifact to a staging AI inference endpoint.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing Primary CWE-290 Authentication Bypass by Spoofing

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.