CVE-2026-56360 PUBLISHED

n8n - Webhook Forgery via Unsigned POST Requests in ZendeskTrigger

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 08.07.2026 Updated: 08.07.2026

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
CVSS Score: 6.3

Product Status

Vendor n8n
Product n8n
Versions Default: unaffected
  • affected from 0 to 1.123.18 (excl.)
  • Version 1.123.18 is unaffected
  • affected from 2.0.0 to 2.6.2 (excl.)
  • Version 2.6.2 is unaffected

Credits

  • nkoorty reporter
  • jjjutla reporter

References

Problem Types

  • Authentication Bypass by Spoofing CWE