CVE-2026-25631

MEDIUM

Published February 6, 2026

CISO Take

n8n is the de facto orchestration layer for AI agent pipelines — it holds API keys to OpenAI, Anthropic, vector DBs, and every downstream service your agents touch. Any authenticated user (insider, compromised service account, low-priv contractor) can exfiltrate those credentials if wildcard domain patterns are configured. Patch to 1.121.0 immediately and audit every HTTP Request node for wildcard Allowed Domains entries.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) Patch: Upgrade n8n to 1.121.0 or later — this is the only full fix. 2) Audit: Enumerate all HTTP Request nodes using credentials with wildcard patterns (*.example.com); replace wildcards with explicit FQDN allowlists. 3) Rotate: Assume any credential attached to a wildcard-configured HTTP Request node is compromised; rotate immediately. 4) Access control: Restrict n8n workflow edit permissions — not every user needs the ability to create or modify HTTP Request nodes. 5) Detection: Monitor outbound HTTP from n8n for requests to unexpected domains, especially subdomains of otherwise-trusted domains. 6) Segment: If running n8n in a shared environment, isolate it from high-value credential stores.

Classification

Code Execution Social Engineering Agent RAG API AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0098 - AI Agent Tool Credential Harvesting AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - Roles, responsibilities and authorities for AI A.6.2.6 - AI system security controls A.9.3 - AI system security and data protection

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management include security MANAGE 2.4 - Risks and benefits of deployed AI are monitored

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure LLM07:2025 - System Prompt Leakage

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later.

Exploitation Scenario

Attacker gains low-privilege access to an n8n instance (e.g., via phishing a workflow developer or reusing a leaked n8n account). They identify an HTTP Request node that uses a credential configured with 'Allowed domains: *.internal-corp.com'. The attacker creates or modifies a workflow to send a request to 'exfil.attacker-controlled.com' — or more subtly, registers 'attacker.internal-corp.com' if the wildcard is broader than intended. The n8n credential domain validation passes the wildcard check, attaches the stored API key or token to the outbound request, and the credential is delivered to the attacker's endpoint. In AI agent deployments, this credential often grants access to LLM APIs, vector databases, or connected SaaS tools used by the agent pipeline.

Weaknesses (CWE)

CWE-20 Primary CWE-522 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h
3rd Party

Timeline

Published

February 6, 2026

Last Modified

February 19, 2026

First Seen

February 6, 2026

Back to Threat Feed