CVE-2026-25631: n8n's domain allowlist bypass enables credential exfiltration

February 4, 2026 (updated February 6, 2026)

A vulnerability in the HTTP Request node’s credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration.

This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the “Allowed domains” setting.

References

github.com/advisories/GHSA-2xcx-75h9-vr9h
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h
nvd.nist.gov/vuln/detail/CVE-2026-25631

Code Behaviors & Features

Detect and mitigate CVE-2026-25631 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →