Description
n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later.
Published: 2026-02-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential theft
Action: Apply Patch
AI Analysis

Impact

The vulnerability an authenticated attacker within the n8n environment to bypass the intended domain allowlist for the HTTP Request node, sending requests that include stored credentials to arbitrary or unintended domains. This bypass can result in exfiltration of credential data, putting sensitive authentication information at risk. The weakness is rooted in improper input validation (CWE‑20) and the mishandling of stored credentials (CWE‑522).

Affected Systems

n8n, the open-source workflow automation platform, is affected when it runs a version prior to 1.121.0. The problem specifically targets users who have defined credentials that use wildcard domain patterns, such as "*.example.com", in their allowed domains configuration. Resident on a Node.js runtime, the issue exists across all installations that employ the HTTP Request node with such settings, regardless of deployment size.

Risk and Exploitability

The scoring reflects a moderate risk (CVSS score 5.3) and a very low likelihood of exploitation (EPSS < 1 %). The vulnerability is not listed in CISA’s KEV catalog. An attacker must have authenticated and authorized access to modify the HTTP Request node configuration, or the node must be improperly exposed to external users. Exploitation relies on the missing domain validation check; once the advance is in place, an attacker could cause the system to send credentials to a domain of their choice, potentially leaking authentication material to an external server.

Generated by OpenCVE AI on April 18, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.121.0 or later. This update includes a fix that enforces strict domain validation for the HTTP Request node.
  • Reevaluate and modify credential configuration to eliminate wildcard domain patterns in the "Allowed domains" field, or restrict the field to explicit domains only.
  • Review and adjust network firewall rules to restrict outbound HTTP requests from the n8n instance to only approved domains.

Generated by OpenCVE AI on April 18, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2xcx-75h9-vr9h n8n's domain allowlist bypass enables credential exfiltration
History

Thu, 19 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-522
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later.
Title Domain allowlist bypass enables credential exfiltration
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T21:08:06.638Z

Reserved: 2026-02-04T05:15:41.790Z

Link: CVE-2026-25631

cve-icon Vulnrichment

Updated: 2026-02-06T21:06:51.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:18.230

Modified: 2026-02-19T17:51:02.697

Link: CVE-2026-25631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses