GHSA-38c7-23hj-2wgq: n8n has Webhook Forgery on Zendesk Trigger Node

February 26, 2026

An attacker who knows the webhook URL of a workflow using the ZendeskTrigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node does not verify the HMAC-SHA256 signature that Zendesk attaches to every outbound webhook, allowing any party to inject crafted payloads into the connected workflow.

References

github.com/advisories/GHSA-38c7-23hj-2wgq
github.com/n8n-io/n8n
github.com/n8n-io/n8n/commit/3839e310bd4c3002c646c363d1411916fa195151
github.com/n8n-io/n8n/commit/c6520e4e87614fa60c9433e93019e211f19f65f9
github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq

Code Behaviors & Features

Detect and mitigate GHSA-38c7-23hj-2wgq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →