The vulnerability CVE-2026-21894 affects the n8n open source workflow automation platform, specifically versions from 0.150.0 up to but not including 2.2.2. The issue resides in the Stripe Trigger node, which is designed to listen for Stripe webhook events to automate workflows based on payment or subscription activities. When a Stripe webhook endpoint is registered, n8n generates and stores a webhook signing secret intended to verify incoming webhook requests. However, due to a design flaw, incoming HTTP POST requests to the webhook URL are not validated against this secret. Consequently, any unauthenticated attacker who discovers the webhook URL—which includes a high-entropy UUID—can craft and send forged Stripe webhook events. These fake events cause the associated workflows to execute as if legitimate Stripe events were received. This can lead to unauthorized triggering of workflows that may perform critical business functions such as updating databases, sending notifications, or modifying subscription statuses. Although the webhook URL’s complexity reduces the likelihood of random discovery, authenticated n8n users with access to the workflows can view the URL, increasing the risk of insider threats or accidental leaks. The vulnerability does not require authentication or user interaction to exploit, making it remotely exploitable over the network. The CVSS 3.1 score of 6.5 reflects a medium severity, with low confidentiality impact (as no sensitive data is directly exposed), high integrity impact (due to unauthorized workflow execution), and no availability impact. No known exploits have been reported in the wild. The issue has been addressed in n8n version 2.2.2, which implements proper verification of webhook requests against the stored signing secret. As a temporary mitigation, users are advised to deactivate workflows using the Stripe Trigger node or restrict access to these workflows to trusted users only.

For European organizations using n8n with Stripe Trigger workflows, this vulnerability poses a significant risk to the integrity of automated business processes. Attackers could forge payment or subscription events, potentially causing financial discrepancies, unauthorized service activations or cancellations, and erroneous data processing. This could lead to financial losses, reputational damage, and compliance issues, especially under GDPR if personal data is mishandled as a result. The risk is heightened in organizations where multiple users have access to workflow configurations, increasing the chance of URL exposure. Since n8n is used in various industries including fintech, e-commerce, and SaaS, the impact could be broad. However, the absence of availability impact limits operational disruption. The medium severity rating suggests that while the threat is serious, it is not catastrophic if mitigated promptly. European companies relying on automated workflows for payment processing should prioritize patching or mitigation to maintain process integrity and regulatory compliance.

1. Upgrade n8n installations to version 2.2.2 or later, which includes the patch verifying Stripe webhook requests against the stored signing secret. 2. Until patching is possible, deactivate all workflows that use the Stripe Trigger node to prevent unauthorized triggering. 3. Restrict access to workflows containing Stripe Trigger nodes strictly to trusted and authorized users to minimize the risk of webhook URL exposure. 4. Implement network-level controls such as IP whitelisting or firewall rules to limit incoming requests to the webhook URL from known Stripe IP ranges. 5. Monitor workflow execution logs for unusual or unexpected Stripe event triggers that could indicate exploitation attempts. 6. Educate users with access to n8n workflows about the sensitivity of webhook URLs and enforce strict credential management policies. 7. Consider adding additional verification layers in workflows to validate event authenticity, such as checking event payload signatures manually if feasible. 8. Regularly audit n8n configurations and access controls to ensure compliance with security best practices.