Login Sign Up

CVE-2025-68949

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass IP whitelist restrictions in n8n's Webhook node by using IP addresses that contain whitelisted entries as substrings. It affects n8n instances from version 1.36.0 to before 2.2.0 where administrators rely on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses are impacted.

💻 Affected Systems

Products:
  • n8n
Versions: 1.36.0 to before 2.2.0
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects instances where IP whitelisting is configured for Webhook nodes. Default installations without IP restrictions are not vulnerable.

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could trigger unauthorized workflows, potentially leading to data exfiltration, system compromise, or business logic manipulation if webhooks execute sensitive operations.

🟠

Likely Case

Unauthorized webhook requests could trigger workflows, potentially causing data integrity issues, service disruption, or information disclosure depending on workflow functionality.

🟢

If Mitigated

With proper network segmentation and additional authentication layers, impact would be limited to failed unauthorized access attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of whitelisted IP patterns and ability to spoof or obtain IP addresses containing those patterns as substrings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp

Restart Required: Yes

Instructions:

1. Backup your n8n instance and workflows. 2. Update n8n to version 2.2.0 or later using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network-level IP filtering

all

Implement IP filtering at the network level (firewall, load balancer, or reverse proxy) instead of relying on n8n's built-in whitelist.

Disable IP whitelisting and use authentication

all

Remove IP whitelist configurations and implement webhook authentication via secrets or tokens.

🧯 If You Can't Patch

  • Implement network-level IP filtering with exact match validation
  • Add additional authentication mechanisms to webhook workflows

🔍 How to Verify

Check if Vulnerable:

Check if n8n version is between 1.36.0 and 2.1.x AND has IP whitelist configured for any Webhook nodes.

Check Version:

n8n --version

Verify Fix Applied:

Verify n8n version is 2.2.0 or later and test that IP whitelist validation now performs exact IP matching.

📡 Detection & Monitoring

Log Indicators:

  • Webhook requests from IP addresses that contain whitelisted patterns as substrings but aren't exact matches
  • Failed IP validation attempts in n8n logs

Network Indicators:

  • Unusual webhook traffic patterns from unexpected IP ranges

SIEM Query:

source="n8n" AND ("webhook" OR "IP validation") AND ("bypass" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-68949
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-134
EPSS Score: 0.04% exploit probability (10.9th percentile)
Published: January 13, 2026
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68949, you might also want to check these:

CVE-2021-41193 9.8

CVE-2021-41193 is a remote format string vulnerability in wire-avs, the audio visual signaling compo...

Same vulnerability type (CWE-134)
CVE-2021-42911 9.8

This is a critical format string vulnerability in DrayTek router firmware that allows remote attacke...

Same vulnerability type (CWE-134)
CVE-2023-5746 9.8

A format string vulnerability in Synology camera firmware allows remote attackers to execute arbitra...

Same vulnerability type (CWE-134)