Vulnerability Details CVE-2026-56357
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 8.2%
CVSS Severity
CVSS v3 Score 4.0