Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25631 is a moderate severity vulnerability in the n8n workflow automation platform affecting versions prior to 1.121.0. It exists in the HTTP Request node\'s credential domain validation mechanism, which improperly handles wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting.'}, {'type': 'paragraph', 'content': 'This flaw allows an authenticated attacker with low privileges to bypass domain restrictions and send HTTP requests with credentials to unintended domains. This can potentially lead to credential exfiltration.'}, {'type': 'paragraph', 'content': 'The vulnerability requires no user interaction, has low attack complexity, and can be exploited remotely over the network. It is classified under CWE-20 (Improper Input Validation), meaning the product fails to correctly validate input data to ensure safe processing.'}, {'type': 'paragraph', 'content': 'The issue is fixed in n8n version 1.121.0 and later.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized disclosure of credentials by allowing an attacker to send requests with credentials to unintended domains.'}, {'type': 'paragraph', 'content': 'The impact is limited to confidentiality loss; there is no impact on the integrity or availability of the system.'}, {'type': 'paragraph', 'content': 'If you use credentials with wildcard domain patterns in the "Allowed domains" setting, your credentials could be exposed to attackers who exploit this flaw.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection involves auditing existing workflows that use HTTP Request nodes with credentials configured with wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting.'}, {'type': 'paragraph', 'content': 'Specifically, look for workflows where HTTP Request nodes send requests with credentials to domains outside the explicitly allowed list, which could indicate exploitation or misconfiguration.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows an authenticated attacker to send requests with credentials to unintended domains, monitoring network traffic for HTTP requests originating from n8n instances to unexpected domains may help detect exploitation.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Review n8n workflow configurations for HTTP Request nodes using wildcard domain patterns in credentials.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze outgoing HTTP requests from the n8n server to detect requests sent to unintended domains.'}, {'type': 'list_item', 'content': 'Check n8n logs for unusual HTTP Request node activity or requests to domains not explicitly allowed.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade n8n to version 1.121.0 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'As temporary workarounds before upgrading, users should:'}, {'type': 'list_item', 'content': 'Replace wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting with explicit domain listings to prevent unintended domain access.'}, {'type': 'list_item', 'content': 'Restrict workflow creation and modification permissions to trusted users only, reducing the risk of malicious workflows exploiting this vulnerability.'}, {'type': 'list_item', 'content': 'Audit existing workflows that use HTTP Request nodes with domain-restricted credentials to identify and remediate risky configurations.'}] [1]

Useful 0 Not Useful 0