Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Zendesk Webhook Forgery in n8n Allows Unauthorized Workflow Triggers
GHSA-38c7-23hj-2wgq
Summary
A security flaw in n8n's Zendesk integration allows hackers to trigger workflows with fake data. This can happen if an attacker knows the webhook URL of a workflow. To fix this, update to n8n version 2.6.2 or later. If that's not possible, limit access to n8n users and restrict network access to known Zendesk IP ranges as a temporary measure.
What to do
- Update GitHub Actions n8n to version 1.123.18.
- Update GitHub Actions n8n to version 2.6.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | n8n | <= 1.123.18 | 1.123.18 |
| GitHub Actions | n8n | > 2.0.0 , <= 2.6.2 | 2.6.2 |
Original title
n8n has Webhook Forgery on Zendesk Trigger Node
Original description
## Impact
An attacker who knows the webhook URL of a workflow using the ZendeskTrigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node does not verify the HMAC-SHA256 signature that Zendesk attaches to every outbound webhook, allowing any party to inject crafted payloads into the connected workflow.
## Patches
The issue has been fixed in n8n versions 2.6.2 and 1.123.18. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Restrict network access to the n8n webhook endpoint to known Zendesk IP ranges.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
An attacker who knows the webhook URL of a workflow using the ZendeskTrigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node does not verify the HMAC-SHA256 signature that Zendesk attaches to every outbound webhook, allowing any party to inject crafted payloads into the connected workflow.
## Patches
The issue has been fixed in n8n versions 2.6.2 and 1.123.18. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Restrict network access to the n8n webhook endpoint to known Zendesk IP ranges.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
ghsa CVSS3.1
4.0
ghsa CVSS4.0
6.3
Vulnerability type
CWE-290
Published: 26 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026