CVE-2026-56360

Summary

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data.

Affected Software

VendorProductVersion RangeStatus
n8nn8n0 < 1.123.18affected
n8nn8n1.123.18unaffected
n8nn8n2.0.0 < 2.6.2affected
n8nn8n2.6.2unaffected

Weaknesses

  • CWE-290: Authentication Bypass by Spoofing

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References