CVE-2026-25631
📋 TL;DR
This vulnerability in n8n's HTTP Request node allows authenticated attackers to bypass credential domain validation and send requests with credentials to unintended domains. This could lead to credential exfiltration when wildcard domain patterns (like *.example.com) are configured. Only users with wildcard domain patterns in their credential settings are affected.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive credentials from the n8n platform to attacker-controlled domains, potentially compromising other systems that use those credentials.
Likely Case
Credential leakage to unintended domains, potentially exposing API keys, authentication tokens, or other sensitive credentials stored in n8n.
If Mitigated
Limited impact if proper network segmentation and credential scoping are in place, with no sensitive credentials using wildcard patterns.
🎯 Exploit Status
Requires authenticated access to n8n and specific credential configuration with wildcard domains.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.121.0 and later
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h
Restart Required: Yes
Instructions:
1. Backup your n8n instance. 2. Update n8n to version 1.121.0 or later using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Remove wildcard domain patterns
allRemove any wildcard domain patterns (e.g., *.example.com) from credential 'Allowed domains' settings and replace with specific domains.
Restrict credential access
allReview and limit which users have access to credentials with domain restrictions.
🧯 If You Can't Patch
- Review all credentials and remove wildcard domain patterns from 'Allowed domains' settings
- Implement network controls to restrict outbound connections from n8n instances to only authorized domains
🔍 How to Verify
Check if Vulnerable:
Check n8n version and review if any credentials use wildcard domain patterns in 'Allowed domains' settings.Check Version:
n8n --version or check package.json version fieldVerify Fix Applied:
Confirm n8n version is 1.121.0 or later and test that credentials with wildcard domains now properly validate against intended domains.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from n8n to unexpected domains
- Failed credential validation attempts
Network Indicators:
- HTTP requests from n8n to domains not matching configured credential patterns
SIEM Query:
source="n8n" AND (http_request.method=* AND NOT http_request.domain IN (allowed_domains_list))