CVE-2026-21894: Unsigned & Delivered: Forging Stripe Events in n8n (CVE-2026-21894)

Unsigned & Delivered: Forging Stripe Events in n8n (CVE-2026-21894)

Vulnerability ID: CVE-2026-21894
CVSS Score: 6.5
Published: 2026-01-07

A critical logic flaw in n8n's Stripe Trigger node allowed unauthenticated attackers to spoof webhook events, triggering arbitrary workflows by simply knowing the webhook URL.

TL;DR

n8n forgot to verify the signature on incoming Stripe webhooks. If an attacker discovers the webhook URL (which contains a UUID), they can send a fake charge.succeeded event via curl. n8n will blindly trust it, potentially shipping physical goods, unlocking digital licenses, or messing up your financial books. The fix involves implementing standard HMAC-SHA256 signature verification.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-290
• Attack Vector: Network (Remote)
• CVSS: 6.5 (Medium)
• Authentication: None (Bypassed)
• Impact: High Integrity / Business Logic Manipulation
• Patch Status: Fixed in 2.2.2

Affected Systems

• n8n Workflow Automation Tool
• n8n: >= 0.150.0 < 2.2.2 (Fixed in: 2.2.2)

Code Analysis

Commit: a61a599

feat(Stripe Trigger): Add signature verification

Diff not displayed for brevity, involves adding verifySignature helper.

Exploit Details

• Internal PoC: Simple curl command to POST JSON to the webhook endpoint.

Mitigation Strategies

• Signature Verification
• Secret Rotation
• Access Control

Remediation Steps:

1. Upgrade n8n to version 2.2.2 or later.
2. Log in to the Stripe Dashboard and retrieve the Webhook Signing Secret (whsec_...).
3. Update the Stripe credentials in n8n to include the Signing Secret.
4. Rotate the Webhook UUID if previous logs indicate suspicious activity.

References

• GHSA-jf52-3f2h-h9j5
• Stripe Webhook Signatures Documentation

---

Read the full report for CVE-2026-21894 on our website for more details including interactive diagrams and full exploit analysis.