CVE-2026-25631: n8n Input Validation flaw enables

CISO Take

n8n is the de facto orchestration layer for AI agent pipelines — it holds API keys to OpenAI, Anthropic, vector DBs, and every downstream service your agents touch. Any authenticated user (insider, compromised service account, low-priv contractor) can exfiltrate those credentials if wildcard domain patterns are configured. Patch to 1.121.0 immediately and audit every HTTP Request node for wildcard Allowed Domains entries.

What is the risk?

CVSS 6.5 understates operational risk in AI-heavy environments. Attack complexity is low, no user interaction required, and the credential pool in a typical n8n AI deployment is exceptionally high-value: LLM API keys, vector database tokens, RAG source credentials, and SaaS integrations. Confidentiality impact is HIGH (CVSS partial score confirms). Not in KEV and requires authentication, but the authentication bar is low — many n8n instances grant broad access to workflow editors. Internal threat vector is the primary concern.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 19% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

1 step

1) Patch: Upgrade n8n to 1.121.0 or later — this is the only full fix. 2) Audit: Enumerate all HTTP Request nodes using credentials with wildcard patterns (*.example.com); replace wildcards with explicit FQDN allowlists. 3) Rotate: Assume any credential attached to a wildcard-configured HTTP Request node is compromised; rotate immediately. 4) Access control: Restrict n8n workflow edit permissions — not every user needs the ability to create or modify HTTP Request nodes. 5) Detection: Monitor outbound HTTP from n8n for requests to unexpected domains, especially subdomains of otherwise-trusted domains. 6) Segment: If running n8n in a shared environment, isolate it from high-value credential stores.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Social Engineering Agent RAG API AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0098 - AI Agent Tool Credential Harvesting AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - Roles, responsibilities and authorities for AI A.6.2.6 - AI system security controls A.9.3 - AI system security and data protection

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management include security MANAGE 2.4 - Risks and benefits of deployed AI are monitored

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2026-25631?

n8n is the de facto orchestration layer for AI agent pipelines — it holds API keys to OpenAI, Anthropic, vector DBs, and every downstream service your agents touch. Any authenticated user (insider, compromised service account, low-priv contractor) can exfiltrate those credentials if wildcard domain patterns are configured. Patch to 1.121.0 immediately and audit every HTTP Request node for wildcard Allowed Domains entries.

Is CVE-2026-25631 actively exploited?

No confirmed active exploitation of CVE-2026-25631 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25631?

1) Patch: Upgrade n8n to 1.121.0 or later — this is the only full fix. 2) Audit: Enumerate all HTTP Request nodes using credentials with wildcard patterns (*.example.com); replace wildcards with explicit FQDN allowlists. 3) Rotate: Assume any credential attached to a wildcard-configured HTTP Request node is compromised; rotate immediately. 4) Access control: Restrict n8n workflow edit permissions — not every user needs the ability to create or modify HTTP Request nodes. 5) Detection: Monitor outbound HTTP from n8n for requests to unexpected domains, especially subdomains of otherwise-trusted domains. 6) Segment: If running n8n in a shared environment, isolate it from high-value credential stores.

What systems are affected by CVE-2026-25631?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, LLM API integration layers, RAG pipelines, multi-agent orchestration systems, AI-connected SaaS integrations.

What is the CVSS score for CVE-2026-25631?

CVE-2026-25631 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation pipelinesLLM API integration layersRAG pipelinesmulti-agent orchestration systemsAI-connected SaaS integrations

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0098 AI Agent Tool Credential Harvesting

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2, A.6.2.6, A.9.3

NIST AI RMF: GOVERN 1.7, MANAGE 2.4

OWASP LLM Top 10: LLM06:2025, LLM07:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later.

Exploitation Scenario

Attacker gains low-privilege access to an n8n instance (e.g., via phishing a workflow developer or reusing a leaked n8n account). They identify an HTTP Request node that uses a credential configured with 'Allowed domains: *.internal-corp.com'. The attacker creates or modifies a workflow to send a request to 'exfil.attacker-controlled.com' — or more subtly, registers 'attacker.internal-corp.com' if the wildcard is broader than intended. The n8n credential domain validation passes the wildcard check, attaches the stored API key or token to the outbound request, and the credential is delivered to the attacker's endpoint. In AI agent deployments, this credential often grants access to LLM APIs, vector databases, or connected SaaS tools used by the agent pipeline.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary CWE-522 Insufficiently Protected Credentials Primary

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.