CVE-2026-54308 - Vulnerability Details - OpenCVE

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
N8n	N8n

No data.

No data.

References

Link	Providers
https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743

History

Wed, 24 Jun 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		N8n N8n n8n
Vendors & Products		N8n N8n n8n

Wed, 24 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.
Title		n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node
Weaknesses		CWE-290
References		https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T15:42:39.342Z

Updated: 2026-06-24T13:59:08.481Z

Reserved: 2026-06-12T18:42:02.222Z

Link: CVE-2026-54308

Vulnrichment

Updated: 2026-06-24T13:59:01.262Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54308", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-12T18:42:02.222Z", "datePublished": "2026-06-23T15:42:39.342Z", "dateUpdated": "2026-06-24T13:59:08.481Z"}, "containers": {"cna": {"title": "n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743"}], "affected": [{"vendor": "n8n-io", "product": "n8n", "versions": [{"version": ">= 2.26.0, < 2.26.2", "status": "affected"}, {"version": "< 2.25.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T15:42:39.342Z"}, "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2."}], "source": {"advisory": "GHSA-jvc7-762p-3743", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T13:58:56.409611Z", "id": "CVE-2026-54308", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T13:59:08.481Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-24T13:58:56.409611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T13:59:01.262Z"}}], "cna": {"title": "n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node", "source": {"advisory": "GHSA-jvc7-762p-3743", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "n8n-io", "product": "n8n", "versions": [{"status": "affected", "version": ">= 2.26.0, < 2.26.2"}, {"status": "affected", "version": "< 2.25.7"}]}], "references": [{"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743", "name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T15:42:39.342Z"}}}, "cveMetadata": {"cveId": "CVE-2026-54308", "state": "PUBLISHED", "dateUpdated": "2026-06-24T13:59:08.481Z", "dateReserved": "2026-06-12T18:42:02.222Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-23T15:42:39.342Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}