n8n webhooks: why your automations are vulnerable to attacks
> TL;DR: n8n webhooks exposed in frontend allow unauthenticated attacks. Here's how to secure your workflows.
n8n: exposed automation
Webhook URLs hardcoded in frontend JavaScript — accessible to any visitor.
What we found
On a training platform, an n8n webhook allowed unauthenticated admin account creation. Exploitation time: 2 minutes.
How to secure
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Payroll webhooks to accounting: signature, replay, and data in transit
Webhooks leaving a payroll tool for an accounting system carry sensitive amounts. What to actually verify.
n8n CVE-2026-59208: a JWT token exchange flaw that logs you in as someone else
On n8n Enterprise instances trusting two external token issuers, the token-exchange flow matched an incoming JWT on the sub claim alone and ignored iss. A valid token from issuer A logged you in as a user under issuer B. CVSS 7.6 (4.0) / 6.8 (3.1). Fix: n8n 2.27.4 and 2.28.1.
Firebase Firestore: why 'allow read, write: if request.auth != null' is not security
The basic Firestore authentication rule doesn't protect your data. Here's why and how to fix it.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.