CVE-2026-21894 Overview
CVE-2026-21894 is an authentication bypass vulnerability affecting the n8n workflow automation platform. The vulnerability exists in the Stripe Trigger node, which fails to verify incoming webhook requests against the stored Stripe webhook signing secret. This allows unauthenticated attackers to trigger workflows by sending forged Stripe webhook events, potentially manipulating downstream workflow behavior through fake payment or subscription events.
Critical Impact
Attackers can bypass authentication and trigger arbitrary workflow executions by sending forged Stripe webhook events to vulnerable n8n instances, potentially influencing business logic through fake payment notifications.
Affected Products
- n8n versions 0.150.0 to 2.2.1
- n8n workflow automation platform with active Stripe Trigger nodes
- Self-hosted and cloud n8n deployments using Stripe integrations
Discovery Timeline
- 2026-01-08 - CVE CVE-2026-21894 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21894
Vulnerability Analysis
The vulnerability resides in the Stripe Trigger node implementation within n8n's workflow automation system. When users configure a Stripe Trigger, n8n creates and stores a Stripe webhook signing secret during the webhook endpoint registration process. However, the critical flaw is that incoming webhook requests were not validated against this stored secret.
This authentication bypass (CWE-290: Authentication Bypass by Spoofing) allows any HTTP client with knowledge of the webhook URL to send a POST request containing a matching event type. The n8n platform processes these requests as if they were legitimate Stripe events, executing the associated workflow without proper authentication verification.
The attack surface is somewhat limited by the fact that webhook URLs contain a high-entropy UUID, making discovery through brute force impractical. However, any authenticated n8n user with access to view the workflow configuration can obtain this webhook ID, creating an insider threat vector.
Root Cause
The root cause is the absence of signature verification for incoming Stripe webhook requests. While the Stripe Trigger node properly creates and stores the webhook signing secret during setup, the incoming request handling code path did not include the cryptographic verification step that would confirm the request originated from Stripe's servers using the Stripe-Signature header.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication to the target system. An attacker who obtains the webhook URL (either through insider access or other means) can send crafted HTTP POST requests directly to the n8n webhook endpoint. The forged requests need only contain a valid JSON payload with a matching event type to trigger workflow execution.
// Security patch in packages/nodes-base/credentials/StripeApi.credentials.ts
// fix(Stripe Trigger Node): Add Stripe signature verification (#22764)
typeOptions: { password: true },
default: '',
},
+ {
+ displayName: 'Signature Secret',
+ name: 'signatureSecret',
+ type: 'string',
+ typeOptions: { password: true },
+ default: '',
+ description:
+ 'The signature secret is used to verify the authenticity of requests sent by Stripe.',
+ },
+ {
+ displayName:
+ 'We strongly recommend setting up a <a href="https://stripe.com/docs/webhooks" target="_blank">signing secret</a> to ensure the authenticity of requests.',
+ name: 'notice',
+ type: 'notice',
+ default: '',
+ displayOptions: {
+ show: {
+ signatureSecret: [''],
+ },
+ },
+ },
];
authenticate: IAuthenticateGeneric = {
Source: GitHub Commit Update
// Security patch in packages/nodes-base/nodes/Stripe/StripeTrigger.node.ts
// fix(Stripe Trigger Node): Add Stripe signature verification (#22764)
import { NodeApiError, NodeConnectionTypes } from 'n8n-workflow';
import { stripeApiRequest } from './helpers';
+import { verifySignature } from './StripeTriggerHelpers';
export class StripeTrigger implements INodeType {
description: INodeTypeDescription = {
Source: GitHub Commit Update
Detection Methods for CVE-2026-21894
Indicators of Compromise
- Unexpected workflow executions triggered by Stripe events without corresponding legitimate Stripe dashboard activity
- HTTP POST requests to Stripe webhook endpoints from IP addresses not belonging to Stripe's published IP ranges
- Anomalous patterns in workflow execution logs, particularly for payment or subscription-related workflows
- Stripe webhook events that don't match corresponding records in your Stripe dashboard
Detection Strategies
- Monitor n8n workflow execution logs for Stripe Trigger activations and correlate with actual Stripe dashboard events
- Implement network-level monitoring to detect POST requests to webhook endpoints from non-Stripe IP addresses
- Review n8n access logs for users who have viewed workflow configurations containing Stripe Trigger nodes
- Set up alerts for unusual volumes of Stripe webhook events or executions outside normal business patterns
Monitoring Recommendations
- Enable detailed logging for all Stripe Trigger workflow executions including source IP addresses
- Configure SIEM rules to alert on webhook executions that lack valid Stripe signature headers
- Regularly audit n8n user access to sensitive workflows containing payment integrations
- Monitor downstream systems affected by Stripe-triggered workflows for unexpected state changes
How to Mitigate CVE-2026-21894
Immediate Actions Required
- Upgrade n8n to version 2.2.2 or later immediately
- Audit all active workflows using Stripe Trigger nodes and verify they are updated
- Review recent workflow execution logs for any suspicious Stripe-triggered activity
- Rotate Stripe webhook signing secrets after upgrading to ensure no leaked secrets are exploitable
Patch Information
The vulnerability has been patched in n8n version 2.2.2. The fix introduces proper Stripe signature verification using the verifySignature function imported from StripeTriggerHelpers. Users should upgrade to this version or later to ensure incoming webhook requests are cryptographically verified against the stored signing secret. Technical details are available in the GitHub Pull Request and GitHub Security Advisory.
Workarounds
- Deactivate all workflows containing Stripe Trigger nodes until the patch can be applied
- Restrict access to workflows containing Stripe Trigger nodes to trusted users only to prevent webhook URL disclosure
- Implement network-level filtering to only allow webhook requests from Stripe's published IP address ranges
- Consider using a reverse proxy or WAF to validate Stripe signatures before requests reach n8n
# Configuration example
# Restrict access to n8n workflows with Stripe integrations
# Review and limit user permissions in n8n settings
# Check current n8n version
n8n --version
# Upgrade n8n to patched version
npm update [email protected]
# Or using Docker
docker pull n8nio/n8n:2.2.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
