GHSA-mqpr-49jj-32rc: n8n: Webhook Forgery on Github Webhook Trigger

February 26, 2026

An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node did not implement the HMAC-SHA256 signature verification that GitHub provides to authenticate webhook deliveries, allowing any party to spoof GitHub webhook events.

References

github.com/advisories/GHSA-mqpr-49jj-32rc
github.com/n8n-io/n8n
github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578
github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36
github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc

Code Behaviors & Features

Detect and mitigate GHSA-mqpr-49jj-32rc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →