CVE-2026-54308 Overview
CVE-2026-54308 is an authentication bypass vulnerability in n8n, an open source workflow automation platform. The MicrosoftAgent365Trigger and StripeTrigger nodes fail to validate the authenticity of inbound webhook requests. An unauthenticated attacker who knows or guesses the webhook URL can submit a forged payload that causes the associated workflow to execute with attacker-controlled data. The flaw is tracked as [CWE-290: Authentication Bypass by Spoofing]. n8n versions prior to 2.25.7 and 2.26.2 are affected, and fixes are available in 2.25.7 and 2.26.2.
Critical Impact
Unauthenticated attackers can trigger n8n workflows with forged payloads, leading to execution of automation logic using untrusted, attacker-supplied data.
Affected Products
- n8n versions prior to 2.25.7
- n8n versions prior to 2.26.2 (on the 2.26.x branch)
- Workflows using the MicrosoftAgent365Trigger or StripeTrigger nodes
Discovery Timeline
- 2026-06-23 - CVE-2026-54308 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-54308
Vulnerability Analysis
The vulnerability resides in two trigger nodes within n8n: MicrosoftAgent365Trigger and StripeTrigger. Both nodes expose a webhook endpoint intended to receive callbacks from their respective upstream services. However, neither node validates that an inbound request actually originates from Microsoft 365 or Stripe. The trigger nodes accept any HTTP request that reaches the webhook URL and pass the payload directly into the workflow execution context.
Because n8n workflows can perform privileged operations such as data exfiltration, file writes, API calls, and downstream system updates, executing them with attacker-controlled input creates a significant trust boundary violation. The issue is classified as [CWE-290], where the system relies on an assumed identity that is never verified.
Root Cause
The MicrosoftAgent365Trigger and StripeTrigger nodes omit signature validation. Stripe webhooks normally carry a Stripe-Signature header that should be verified using a shared signing secret and HMAC-SHA256. Microsoft 365 webhooks rely on validation tokens and client state checks. Neither check was enforced in vulnerable versions, so the nodes treated unauthenticated traffic as legitimate provider callbacks.
Attack Vector
An attacker who learns the webhook URL, through reconnaissance, log leakage, browser history, or referrer headers, can send a crafted HTTP request to the n8n instance. The request body is parsed and forwarded to the workflow, causing downstream nodes to execute against forged data. Network access to the n8n webhook endpoint is the only prerequisite. No credentials, user interaction, or prior authentication are required. See the GitHub Security Advisory GHSA-jvc7-762p-3743 for vendor technical details.
Detection Methods for CVE-2026-54308
Indicators of Compromise
- Inbound HTTP requests to /webhook/* paths bound to MicrosoftAgent365Trigger or StripeTrigger nodes that lack a valid Stripe-Signature header or Microsoft 365 validation token.
- Webhook executions originating from source IP ranges outside Stripe's or Microsoft's published egress ranges.
- Workflow runs triggered by these nodes with payload shapes or event types that do not match prior baselines.
Detection Strategies
- Review n8n execution logs for triggers fired by MicrosoftAgent365Trigger or StripeTrigger and correlate against signed events recorded in the provider dashboard.
- Compare request source IPs against Stripe's webhook IP list and Microsoft 365 service IP ranges.
- Alert on webhook requests missing expected signature or validation headers.
Monitoring Recommendations
- Forward n8n audit and execution logs to a centralized SIEM and retain at least 90 days for retrospective analysis.
- Track outbound actions performed by workflows that consume these trigger nodes, particularly file writes, credential use, and external API calls.
- Monitor reverse proxy or WAF logs for unauthenticated POSTs to n8n webhook paths.
How to Mitigate CVE-2026-54308
Immediate Actions Required
- Upgrade n8n to version 2.25.7 or 2.26.2, whichever matches your current release branch.
- Audit existing workflows that use MicrosoftAgent365Trigger or StripeTrigger and review their execution history for unexpected runs.
- Rotate any secrets, tokens, or credentials that may have been exposed through workflows invoked by forged payloads.
Patch Information
n8n addressed the vulnerability in releases 2.25.7 and 2.26.2 by enforcing inbound request validation on the affected trigger nodes. Details are published in the GitHub Security Advisory GHSA-jvc7-762p-3743.
Workarounds
- Place n8n behind a reverse proxy or WAF that enforces signature validation for Stripe and Microsoft 365 webhook paths before forwarding requests.
- Restrict inbound traffic to n8n webhook endpoints to known provider IP ranges using firewall or security group rules.
- Temporarily disable workflows that depend on the affected trigger nodes until the patched version is deployed.
# Example nginx snippet enforcing Stripe IP allowlist in front of n8n
# until upgrade to 2.25.7 or 2.26.2 is completed
location /webhook/stripe/ {
allow 3.18.12.63;
allow 3.130.192.231;
allow 13.235.14.237;
# add full list from https://docs.stripe.com/ips
deny all;
proxy_pass http://n8n_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

