Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
n8n: Hackers can trick n8n workflows with fake GitHub messages
GHSA-mqpr-49jj-32rc
Summary
A security issue in n8n allows hackers to send fake messages to some workflows, making them run with unauthorized data. This happens because n8n doesn't verify the authenticity of messages from GitHub. To fix this, update n8n to version 2.5.0 or later. If that's not possible, limit workflow access to trusted users and restrict network access to known GitHub IP addresses.
What to do
- Update GitHub Actions n8n to version 1.123.15.
- Update GitHub Actions n8n to version 2.5.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | n8n | <= 1.123.15 | 1.123.15 |
| GitHub Actions | n8n | > 2.0.0 , <= 2.5.0 | 2.5.0 |
Original title
n8n: Webhook Forgery on Github Webhook Trigger
Original description
## Impact
An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node did not implement the HMAC-SHA256 signature verification that GitHub provides to authenticate webhook deliveries, allowing any party to spoof GitHub webhook events.
## Patches
The issue has been fixed in n8n versions 2.5.0 and 1.123.15. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Restrict network access to the n8n webhook endpoint to known GitHub webhook IP ranges.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node did not implement the HMAC-SHA256 signature verification that GitHub provides to authenticate webhook deliveries, allowing any party to spoof GitHub webhook events.
## Patches
The issue has been fixed in n8n versions 2.5.0 and 1.123.15. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Restrict network access to the n8n webhook endpoint to known GitHub webhook IP ranges.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
ghsa CVSS3.1
4.0
ghsa CVSS4.0
6.3
Vulnerability type
CWE-290
Published: 26 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026