GHSA-38c7-23hj-2wgq
n8n has Webhook Forgery on Zendesk Trigger Node
Details
## Impact An attacker who knows the webhook URL of a workflow using the ZendeskTrigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node does not verify the HMAC-SHA256 signature that Zendesk attaches to every outbound webhook, allowing any party to inject crafted payloads into the connected workflow.
## Patches The issue has been fixed in n8n versions 2.6.2 and 1.123.18. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Restrict network access to the n8n webhook endpoint to known Zendesk IP ranges.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Are you affected?
Enter the version of the package you're using.