CVE-2026-25631 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

n8n is the de facto orchestration layer for AI agent pipelines — it holds API keys to OpenAI, Anthropic, vector DBs, and every downstream service your agents touch. Any authenticated user (insider, compromised service account, low-priv contractor) can exfiltrate those credentials if wildcard domain patterns are configured. Patch to 1.121.0 immediately and audit every HTTP Request node for wildcard Allowed Domains entries.

Risk Assessment

CVSS 6.5 understates operational risk in AI-heavy environments. Attack complexity is low, no user interaction required, and the credential pool in a typical n8n AI deployment is exceptionally high-value: LLM API keys, vector database tokens, RAG source credentials, and SaaS integrations. Confidentiality impact is HIGH (CVSS partial score confirms). Not in KEV and requires authentication, but the authentication bar is low — many n8n instances grant broad access to workflow editors. Internal threat vector is the primary concern.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 6% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

1 step

1) Patch: Upgrade n8n to 1.121.0 or later — this is the only full fix. 2) Audit: Enumerate all HTTP Request nodes using credentials with wildcard patterns (*.example.com); replace wildcards with explicit FQDN allowlists. 3) Rotate: Assume any credential attached to a wildcard-configured HTTP Request node is compromised; rotate immediately. 4) Access control: Restrict n8n workflow edit permissions — not every user needs the ability to create or modify HTTP Request nodes. 5) Detection: Monitor outbound HTTP from n8n for requests to unexpected domains, especially subdomains of otherwise-trusted domains. 6) Segment: If running n8n in a shared environment, isolate it from high-value credential stores.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Social Engineering Agent RAG API AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0098 - AI Agent Tool Credential Harvesting AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - Roles, responsibilities and authorities for AI A.6.2.6 - AI system security controls A.9.3 - AI system security and data protection

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management include security MANAGE 2.4 - Risks and benefits of deployed AI are monitored

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2026-25631?

n8n is the de facto orchestration layer for AI agent pipelines — it holds API keys to OpenAI, Anthropic, vector DBs, and every downstream service your agents touch. Any authenticated user (insider, compromised service account, low-priv contractor) can exfiltrate those credentials if wildcard domain patterns are configured. Patch to 1.121.0 immediately and audit every HTTP Request node for wildcard Allowed Domains entries.

Is CVE-2026-25631 actively exploited?

No confirmed active exploitation of CVE-2026-25631 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25631?

1) Patch: Upgrade n8n to 1.121.0 or later — this is the only full fix. 2) Audit: Enumerate all HTTP Request nodes using credentials with wildcard patterns (*.example.com); replace wildcards with explicit FQDN allowlists. 3) Rotate: Assume any credential attached to a wildcard-configured HTTP Request node is compromised; rotate immediately. 4) Access control: Restrict n8n workflow edit permissions — not every user needs the ability to create or modify HTTP Request nodes. 5) Detection: Monitor outbound HTTP from n8n for requests to unexpected domains, especially subdomains of otherwise-trusted domains. 6) Segment: If running n8n in a shared environment, isolate it from high-value credential stores.

What systems are affected by CVE-2026-25631?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, LLM API integration layers, RAG pipelines, multi-agent orchestration systems, AI-connected SaaS integrations.

What is the CVSS score for CVE-2026-25631?

CVE-2026-25631 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later.

Exploitation Scenario

Attacker gains low-privilege access to an n8n instance (e.g., via phishing a workflow developer or reusing a leaked n8n account). They identify an HTTP Request node that uses a credential configured with 'Allowed domains: *.internal-corp.com'. The attacker creates or modifies a workflow to send a request to 'exfil.attacker-controlled.com' — or more subtly, registers 'attacker.internal-corp.com' if the wildcard is broader than intended. The n8n credential domain validation passes the wildcard check, attaches the stored API key or token to the outbound request, and the credential is delivered to the attacker's endpoint. In AI agent deployments, this credential often grants access to LLM APIs, vector databases, or connected SaaS tools used by the agent pipeline.