The vulnerability CVE-2026-21894 affects the n8n open source workflow automation platform, specifically versions from 0.150.0 up to but not including 2.2.2. The issue resides in the Stripe Trigger node, which is designed to listen for Stripe webhook events to trigger workflows. When a webhook endpoint is registered, n8n generates and stores a Stripe webhook signing secret intended to verify the authenticity of incoming webhook requests. However, due to a design flaw, incoming webhook requests are not validated against this secret. This allows any HTTP client aware of the webhook URL to send a POST request with a matching event type, causing the workflow to execute as if a legitimate Stripe event was received. The webhook URL includes a high-entropy UUID, which reduces the likelihood of random discovery, but authenticated n8n users can view this URL, increasing the risk of targeted attacks. An attacker exploiting this vulnerability could fake payment or subscription events, potentially manipulating business logic, financial records, or triggering unintended automated actions downstream. The vulnerability does not require authentication or user interaction, and no availability or confidentiality impact is noted, but integrity is significantly affected. The issue has been addressed in n8n version 2.2.2. Until upgrading, recommended mitigations include deactivating workflows using the Stripe Trigger node or restricting access to these workflows to trusted users only. No public exploits have been reported to date.

For European organizations using n8n with Stripe Trigger workflows, this vulnerability poses a risk of unauthorized workflow execution, potentially leading to fraudulent financial event processing or manipulation of automated business processes. The integrity of payment-related data and subscription management could be compromised, resulting in financial discrepancies, erroneous customer billing, or unauthorized service provisioning. While the confidentiality and availability of systems are not directly impacted, the trustworthiness of automated workflows is undermined, which could damage operational reliability and compliance with financial regulations such as GDPR and PSD2. Organizations in sectors heavily reliant on automated payment processing, such as e-commerce, fintech, and SaaS providers, are particularly at risk. The medium severity rating reflects the moderate ease of exploitation balanced against the significant impact on data integrity. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in environments where the webhook URL might be exposed to insiders or through misconfiguration.

1. Upgrade n8n installations to version 2.2.2 or later immediately to apply the official patch that verifies Stripe webhook signatures properly. 2. Until patching is possible, deactivate any workflows that use the Stripe Trigger node to prevent unauthorized triggering. 3. Restrict access to workflows containing Stripe Trigger nodes to a minimal set of trusted and authenticated users to reduce the risk of URL exposure. 4. Implement network-level controls such as IP whitelisting or firewall rules to limit incoming webhook requests to known Stripe IP ranges. 5. Monitor workflow execution logs for unusual or unexpected Stripe event triggers that could indicate exploitation attempts. 6. Educate administrators and developers about the importance of protecting webhook URLs and secrets, avoiding sharing them unnecessarily. 7. Consider adding additional verification layers in workflows, such as validating event payloads against Stripe’s API or implementing custom authentication checks. 8. Review and audit all automated workflows that depend on external webhook triggers to ensure they have appropriate security controls and fail-safes.