n8n Authentication Bypass Vulnerability in Stripe Trigger Node Allows Forged Webhook Events

An authentication bypass vulnerability has been identified in the Stripe Trigger node of n8n, an open-source workflow automation platform. This vulnerability is present in versions 0.150.0 prior to 2.2.2. The issue allows unauthenticated users to trigger workflows by sending fake Stripe webhook events. The vulnerability arises because incoming webhook requests were not verified against a stored signing secret, enabling any HTTP client that knows the webhook URL to send a POST request with a matching event type. This could cause the workflow to execute as if a legitimate Stripe event had been received. The vulnerability affects n8n users with active workflows using the Stripe Trigger node, potentially allowing attackers to fake payment or subscription events and disrupt workflow behavior.

Impact

Exploitation of this vulnerability could lead to unauthorized triggering of workflows via forged Stripe webhook events, allowing for manipulation of workflow processes and potentially causing disruptions or unauthorized actions within the automated workflows.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a POST request to an n8n webhook URL associated with the Stripe Trigger node, including a Stripe event type in the request. Since the webhook URL contains a high-entropy UUID, knowledge of this ID is required to successfully send the forged event. Once the request is received, the corresponding workflow will be executed as if a legitimate Stripe event had been processed.

Remediation

Users can upgrade to n8n version 2.2.2 or later, where this vulnerability has been patched. After upgrading, it is recommended to re-enable any workflows that were deactivated due to this issue.