GHSA-9r75-g2cr-3h76: Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens

March 6, 2026

createWebhook() in Vercel Workflow DevKit accepts a user-specified token parameter that serves as the credential for the public webhook endpoint /.well-known/workflow/v1/webhook/{token}. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote attacker to guess the token and inject arbitrary payloads into the workflow execution context.

References

github.com/advisories/GHSA-9r75-g2cr-3h76
github.com/vercel/workflow
github.com/vercel/workflow/commit/30e24d441e735635ffa4522198e6905d0e51e175
github.com/vercel/workflow/releases/tag/workflow%404.2.0-beta.64
github.com/vercel/workflow/security/advisories/GHSA-9r75-g2cr-3h76

Code Behaviors & Features

Detect and mitigate GHSA-9r75-g2cr-3h76 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →