The AxonFlow SDK's WebhookSubscription (or equivalent) type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook deliveries. Affected callers had two unsatisfactory options:
This advisory is filed across all four AxonFlow SDKs (Go, Python, TypeScript, Java) because the same defect and the same fix landed in each.
Versions 5.6.0 and below.
A webhook receiver using the SDK's typed API to handle inbound deliveries had no path to authenticate the source of incoming payloads. An attacker who learned the webhook URL — through misconfiguration, log leakage, observable network traffic during setup, or any other discovery channel — could forge webhook deliveries indistinguishable from legitimate ones, causing the receiving application to act on fabricated events (e.g. simulated approval-granted callbacks, simulated policy-decision callbacks, simulated step-completion callbacks).
Upgrade to the patched version listed in Vulnerabilities below. The signing key is now exposed on the WebhookSubscription response type returned by CreateWebhook. Implementations should:
CreateWebhook securely (it is only returned once, at create time).HMAC-SHA256(secret, raw_body) and compare it in constant time against the X-AxonFlow-Signature header.Identified by AxonFlow internal security review during the April 2026 quality-freeze epic.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.9 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-mph8-9v29-pm42 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | @axonflow/sdk | < 6.0.0 | 6.0.0 | — |