CVE-2026-21894
📋 TL;DR
This CVE describes an authentication bypass vulnerability in n8n's Stripe Trigger node that allows unauthenticated attackers to trigger workflows by sending forged Stripe webhook events. The vulnerability affects n8n users with active workflows using the Stripe Trigger node, potentially enabling attackers to fake payment or subscription events and influence downstream workflow behavior. While the webhook URL contains a high-entropy UUID, authenticated n8n users with workflow access can view this ID.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Attackers could trigger workflows to process fake payment events, leading to unauthorized transactions, subscription modifications, or downstream business logic manipulation that could result in financial loss or data corruption.
Likely Case
Attackers with knowledge of webhook URLs could trigger workflows to execute unintended actions, potentially causing data inconsistencies, false notifications, or minor business process disruptions.
If Mitigated
With proper access controls and monitoring, impact is limited to workflow execution without data compromise, though false events could still trigger automated processes.
🎯 Exploit Status
Exploitation requires knowledge of the webhook URL, which contains a high-entropy UUID but can be viewed by authenticated users with workflow access. Attackers can send forged POST requests with matching event types.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.2
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5
Restart Required: Yes
Instructions:
1. Update n8n to version 2.2.2 or later. 2. Restart the n8n service. 3. Verify that incoming Stripe webhook requests are now properly validated against the stored signing secret.
🔧 Temporary Workarounds
Deactivate affected workflows
allTemporarily disable workflows containing Stripe Trigger nodes until patching is complete
Navigate to workflow settings in n8n UI and toggle workflow activation to OFF
Restrict workflow access
allLimit access to workflows containing Stripe Trigger nodes to trusted users only
Configure n8n user permissions to restrict workflow access to authorized personnel
🧯 If You Can't Patch
- Deactivate all workflows using Stripe Trigger nodes immediately
- Implement network-level controls to restrict access to n8n webhook endpoints from unauthorized sources
🔍 How to Verify
Check if Vulnerable:
Check n8n version and verify if any active workflows use Stripe Trigger nodes. Versions 0.150.0 through 2.2.1 are vulnerable.Check Version:
n8n --version or check package.json version in n8n installation directoryVerify Fix Applied:
After updating to 2.2.2+, verify that incoming Stripe webhook requests are validated against the stored signing secret by testing with invalid signatures.📡 Detection & Monitoring
Log Indicators:
- Unusual webhook activity from non-Stripe IPs
- Failed webhook signature validations
- Workflow executions triggered by unexpected events
Network Indicators:
- POST requests to /webhook/stripe/* endpoints from non-Stripe sources
- Unusual traffic patterns to webhook URLs
SIEM Query:
source="n8n" AND (event="webhook_received" AND NOT source_ip IN stripe_ips) OR (event="workflow_triggered" AND workflow_name="*Stripe*")