GHSA-JH8H-6C9Q-7GMW: The Empty Badge: n8n Chat Trigger Auth Bypass

The Empty Badge: n8n Chat Trigger Auth Bypass Vulnerability ID: GHSA-JH8H-6C9Q-7GMW CVSS Score: 4.2 Published: 2026-02-26 n8n, the popular workflow automation tool that serves as the central nervous system for many modern tech stacks, suffered from a critical logic flaw in its Chat Trigger node. The vulnerability allowed attackers to bypass authentication simply by providing a cookie—any cookie. The system checked for the presence of an authentication token but failed to validate its contents or signature, effectively treating a cardboard badge the same as a valid ID card. TL;DR The Chat Trigger node in n8n checked if an auth cookie existed but didn't verify it. Attackers can bypass authentication by sending a request with Cookie: n8n-auth=anything , triggering potentially sensitive workflows without credentials. ⚠️ Exploit Status: POC Technical Details Bug Class : Authentication Bypass Attack Vector : Network (Web) Root Cause : Improper Validation of Cookie Existence vs. Validity CVSS

GHSA-JH8H-6C9Q-7GMW: The Empty Badge: n8n Chat Trigger Auth Bypass

Related Articles

UVWATAUAVAWH, The Pushy String

15 Years of Forking (Waterfox)

The Steam Controller D0ggle Adventure

Mamba-UNet: UNet-Like Pure Visual Mamba for Medical Image Segmentation

telecheck and tyms past

Related Articles

News
UVWATAUAVAWH, The Pushy String
Lobsters • 1d ago

News
15 Years of Forking (Waterfox)
Lobsters • 1d ago

News
The Steam Controller D0ggle Adventure
Lobsters • 1d ago

News
Mamba-UNet: UNet-Like Pure Visual Mamba for Medical Image Segmentation
Dev.to • 2d ago

News
telecheck and tyms past
Lobsters • 2d ago