js · n8nHeads-up
n8n: MicrosoftAgent365Trigger and StripeTrigger nodes missing request validation
The MicrosoftAgent365Trigger and StripeTrigger nodes did not validate inbound requests, allowing unauthenticated attackers to submit forged payloads and execute
What changed
The MicrosoftAgent365Trigger and StripeTrigger nodes did not validate inbound requests, allowing unauthenticated attackers to submit forged payloads and execute workflows with attacker-controlled data.
Who it affects
Users of n8n versions prior to 2.25.7 and 2.26.2 who use the MicrosoftAgent365Trigger or StripeTrigger nodes.
What to do today
Upgrade n8n to version 2.25.7 or 2.26.2 or later. If immediate upgrade is not possible, deactivate workflows using these nodes or restrict network access to the webhook endpoint.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · n8n