CVE-2026-25631
Credential Domain Validation Bypass in n8n HTTP Request Node
Publication date: 2026-02-06
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.121.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25631 is a moderate severity vulnerability in the n8n workflow automation platform affecting versions prior to 1.121.0. It exists in the HTTP Request node\'s credential domain validation mechanism, which improperly handles wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting.'}, {'type': 'paragraph', 'content': 'This flaw allows an authenticated attacker with low privileges to bypass domain restrictions and send HTTP requests with credentials to unintended domains. This can potentially lead to credential exfiltration.'}, {'type': 'paragraph', 'content': 'The vulnerability requires no user interaction, has low attack complexity, and can be exploited remotely over the network. It is classified under CWE-20 (Improper Input Validation), meaning the product fails to correctly validate input data to ensure safe processing.'}, {'type': 'paragraph', 'content': 'The issue is fixed in n8n version 1.121.0 and later.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized disclosure of credentials by allowing an attacker to send requests with credentials to unintended domains.'}, {'type': 'paragraph', 'content': 'The impact is limited to confidentiality loss; there is no impact on the integrity or availability of the system.'}, {'type': 'paragraph', 'content': 'If you use credentials with wildcard domain patterns in the "Allowed domains" setting, your credentials could be exposed to attackers who exploit this flaw.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection involves auditing existing workflows that use HTTP Request nodes with credentials configured with wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting.'}, {'type': 'paragraph', 'content': 'Specifically, look for workflows where HTTP Request nodes send requests with credentials to domains outside the explicitly allowed list, which could indicate exploitation or misconfiguration.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows an authenticated attacker to send requests with credentials to unintended domains, monitoring network traffic for HTTP requests originating from n8n instances to unexpected domains may help detect exploitation.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Review n8n workflow configurations for HTTP Request nodes using wildcard domain patterns in credentials.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze outgoing HTTP requests from the n8n server to detect requests sent to unintended domains.'}, {'type': 'list_item', 'content': 'Check n8n logs for unusual HTTP Request node activity or requests to domains not explicitly allowed.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade n8n to version 1.121.0 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'As temporary workarounds before upgrading, users should:'}, {'type': 'list_item', 'content': 'Replace wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting with explicit domain listings to prevent unintended domain access.'}, {'type': 'list_item', 'content': 'Restrict workflow creation and modification permissions to trusted users only, reducing the risk of malicious workflows exploiting this vulnerability.'}, {'type': 'list_item', 'content': 'Audit existing workflows that use HTTP Request nodes with domain-restricted credentials to identify and remediate risky configurations.'}] [1]