{"data":{"id":"9c222c43-4681-40fc-801e-01943ade47c8","title":"GHSA-mqpr-49jj-32rc: n8n: Webhook Forgery on Github Webhook Trigger","summary":"A security flaw in n8n's GitHub Webhook Trigger node allowed attackers to forge webhook messages without proper authentication. The node failed to verify HMAC-SHA256 signatures (a cryptographic check that confirms a message came from GitHub), so anyone knowing the webhook URL could send fake requests and trigger workflows with whatever data they wanted.","solution":"The issue has been fixed in n8n versions 2.5.0 and 1.123.15. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider these temporary mitigations: (1) Limit workflow creation and editing permissions to fully trusted users only, and (2) Restrict network access to the n8n webhook endpoint to known GitHub webhook IP ranges. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-mqpr-49jj-32rc","publishedAt":"2026-02-26T15:58:34.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.0.0, < 2.5.0 (fixed: 2.5.0)","n8n@< 1.123.15 (fixed: 1.123.15)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}