CVE-2026-25631 is a vulnerability classified under CWE-20 (Improper Input Validation) found in the n8n open source workflow automation platform, specifically affecting versions prior to 1.121.0. The flaw resides in the HTTP Request node's credential domain validation logic. n8n allows users to configure credentials with an "Allowed domains" setting to restrict HTTP requests to specific domains. However, when wildcard domain patterns (e.g., *.example.com) are used, the validation mechanism fails to correctly restrict the domains to which credentials can be sent. An authenticated attacker with access to the n8n instance can exploit this by crafting HTTP requests that include credentials but target unintended domains outside the allowed scope. This can result in unauthorized credential leakage to malicious domains controlled by the attacker. The vulnerability does not require user interaction and can be exploited remotely over the network, but it does require the attacker to have authenticated access to the n8n platform, which typically means some level of internal or trusted user access. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, no user interaction, and low impact on confidentiality, integrity, and availability, resulting in a medium severity rating. The issue was publicly disclosed on February 6, 2026, and fixed in version 1.121.0. There are no known exploits in the wild at this time. This vulnerability highlights the risks of improper input validation in automation platforms that handle sensitive credentials and the importance of precise domain restrictions in credential management.

For European organizations, the impact of CVE-2026-25631 can be significant depending on their use of n8n for automating workflows that involve sensitive credentials and external HTTP requests. Credential exfiltration could lead to unauthorized access to downstream systems, data breaches, or lateral movement within the network. Organizations using wildcard domain patterns in credential settings are particularly vulnerable, as attackers can leverage this to redirect credentials to malicious domains. This could compromise confidentiality of sensitive information and potentially disrupt automated processes if attackers manipulate workflows. The medium severity rating reflects moderate risk, but the actual impact depends on the criticality of the workflows automated by n8n and the sensitivity of the credentials involved. European entities in sectors such as finance, healthcare, and critical infrastructure that rely on n8n for integration and automation should be especially vigilant. The requirement for attacker authentication limits exposure to insider threats or compromised accounts but does not eliminate risk. Given the increasing adoption of automation platforms in Europe, this vulnerability poses a tangible threat to operational security and data protection compliance.

1. Upgrade all n8n instances to version 1.121.0 or later immediately to apply the official fix. 2. Review and audit all credential configurations in n8n, particularly those using wildcard domain patterns in the "Allowed domains" setting. Replace wildcard entries with explicit domain names wherever feasible to reduce the attack surface. 3. Implement strict access controls and multi-factor authentication (MFA) for n8n user accounts to minimize the risk of attacker authentication. 4. Monitor n8n logs for unusual HTTP request patterns or attempts to send credentials to unexpected domains. 5. Segment n8n infrastructure within the network to limit exposure and restrict outbound traffic to only trusted domains. 6. Educate administrators and users about the risks of wildcard domain usage in credential settings and enforce secure configuration policies. 7. Regularly review and update workflow automation security policies to include validation of credential domain restrictions. 8. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) that can detect and block anomalous outbound requests from n8n nodes. These steps go beyond generic advice by focusing on configuration hygiene, access control, monitoring, and network segmentation tailored to the specifics of this vulnerability.