Primary

Context

n8n HTTP Request Node Credential Domain Validation Vulnerability Allowing Exfiltration

Vulnerability

Patched

A vulnerability exists in n8n versions prior to 1.121.0 within the HTTP Request node's credential domain validation. This flaw allows an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. The issue may impact users with credentials that include wildcard domain patterns, such as *.example.com, in the 'Allowed domains' setting.

Impact

Exploitation of this vulnerability could result in unauthorized credential exfiltration.

Remediation

Users are strongly encouraged to upgrade to n8n version 1.121.0 or later. Until upgrading, replace wildcard domain patterns with explicit domain listings in HTTP Request credentials, review and restrict workflow creation or modification permissions to trusted users, and audit existing workflows using HTTP Request nodes with domain-restricted credentials.

Added: Feb 6, 2026, 9:25 PM

Updated: Feb 6, 2026, 10:08 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

8.3

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

8.3

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

n8n HTTP Request Node Credential Domain Validation Vulnerability Allowing Exfiltration

Vulnerability

Impact

Remediation

Affected Products

n8n

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating