CVE-2025-68949

MEDIUM

Published January 13, 2026

CISO Take

Upgrade n8n to 2.2.0 immediately if you rely on IP whitelisting for webhook access control. The partial string matching bug means an attacker at IP 10.0.1.100 bypasses a whitelist entry for 10.0.1.1 — zero credentials, zero sophistication required. Do not treat IP whitelisting as a sole access control on AI agent webhook triggers; add API key or mTLS authentication as a second layer regardless of this patch.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade n8n to 2.2.0 immediately — fix is available now. 2. AUDIT: Enumerate all Webhook nodes with IP whitelisting configured; treat the vulnerability window (1.36.0+) as a potential unauthorized access period and review execution logs. 3. HARDEN: Add API key authentication or HTTP Basic Auth to all externally-facing webhooks — IP filtering should be a supplementary control, never the sole gate. 4. NETWORK: Deploy n8n behind a reverse proxy or WAF with network-level IP enforcement as an independent control layer. 5. DETECT: Alert on webhook executions from unexpected source IPs; baseline normal trigger patterns for AI agent workflows.

Classification

Auth Bypass Code Execution Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0051 - LLM Prompt Injection AML.T0053 - AI Agent Tool Invocation AML.T0108 - AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Access Control for AI Systems A.6.2.4 - AI system access control

NIST AI RMF

GOVERN 1.7 - Processes and procedures are in place for decommissioning and phase out of AI systems MANAGE 2.2 - Mechanisms are in place to inventory AI risks MANAGE-2.2 - Mechanisms are in place to respond to and recover from AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency LLM08 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0.

Exploitation Scenario

An adversary identifies an internet-exposed n8n instance via Shodan or certificate transparency logs. The target organization whitelists 10.10.1.1 for webhook access to protect an AI agent workflow that queries an internal LLM and writes results to a database. The attacker controls 10.10.1.10 or any IP containing '10.10.1.1' as a substring — the partial string check passes. With a single crafted HTTP request, they trigger the full AI agent workflow: the LLM receives attacker-controlled input, processes it with production context, and the response is written to the database. No credentials, no brute force, no alert triggered.

Weaknesses (CWE)

CWE-134 Primary CWE-284 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5
Patch
github.com/n8n-io/n8n/issues/23399
Issue Patch
github.com/n8n-io/n8n/pull/23399
Issue Patch
github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp
Vendor

Timeline

Published

January 13, 2026

Last Modified

January 16, 2026

First Seen

January 13, 2026

Back to Threat Feed