AI Threat Alert

CVE-2025-68949: n8n: security flaw enables exploitation

MEDIUM
Published January 13, 2026
CISO Take

Upgrade n8n to 2.2.0 immediately if you rely on IP whitelisting for webhook access control. The partial string matching bug means an attacker at IP 10.0.1.100 bypasses a whitelist entry for 10.0.1.1 — zero credentials, zero sophistication required. Do not treat IP whitelisting as a sole access control on AI agent webhook triggers; add API key or mTLS authentication as a second layer regardless of this patch.

What is the risk?

CVSS 5.3 understates practical risk in AI agent deployments. AV:N/AC:L/PR:N/UI:N means any network-reachable attacker can attempt exploitation with no setup. The blast radius depends entirely on what workflows the webhook triggers: in n8n-orchestrated AI agent pipelines, a bypassed webhook can initiate LLM calls, read vector databases, invoke external APIs, or write to business systems. Organizations using n8n as an AI orchestration layer should treat this as high-priority — the underlying data exposure risk is determined by workflow permissions, not the CVSS base score.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 16% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I None
A None

What should I do?

5 steps

  1. PATCH

    Upgrade n8n to 2.2.0 immediately — fix is available now.

  2. AUDIT

    Enumerate all Webhook nodes with IP whitelisting configured; treat the vulnerability window (1.36.0+) as a potential unauthorized access period and review execution logs.

  3. HARDEN

    Add API key authentication or HTTP Basic Auth to all externally-facing webhooks — IP filtering should be a supplementary control, never the sole gate.

  4. NETWORK

    Deploy n8n behind a reverse proxy or WAF with network-level IP enforcement as an independent control layer.

  5. DETECT

    Alert on webhook executions from unexpected source IPs; baseline normal trigger patterns for AI agent workflows.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0049 AML.T0051 AML.T0053 AML.T0108

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Access Control for AI Systems A.6.2.4 - AI system access control
NIST AI RMF
GOVERN 1.7 - Processes and procedures are in place for decommissioning and phase out of AI systems MANAGE 2.2 - Mechanisms are in place to inventory AI risks MANAGE-2.2 - Mechanisms are in place to respond to and recover from AI risks
OWASP LLM Top 10
LLM06 - Excessive Agency LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-68949?

Upgrade n8n to 2.2.0 immediately if you rely on IP whitelisting for webhook access control. The partial string matching bug means an attacker at IP 10.0.1.100 bypasses a whitelist entry for 10.0.1.1 — zero credentials, zero sophistication required. Do not treat IP whitelisting as a sole access control on AI agent webhook triggers; add API key or mTLS authentication as a second layer regardless of this patch.

Is CVE-2025-68949 actively exploited?

No confirmed active exploitation of CVE-2025-68949 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-68949?

1. PATCH: Upgrade n8n to 2.2.0 immediately — fix is available now. 2. AUDIT: Enumerate all Webhook nodes with IP whitelisting configured; treat the vulnerability window (1.36.0+) as a potential unauthorized access period and review execution logs. 3. HARDEN: Add API key authentication or HTTP Basic Auth to all externally-facing webhooks — IP filtering should be a supplementary control, never the sole gate. 4. NETWORK: Deploy n8n behind a reverse proxy or WAF with network-level IP enforcement as an independent control layer. 5. DETECT: Alert on webhook executions from unexpected source IPs; baseline normal trigger patterns for AI agent workflows.

What systems are affected by CVE-2025-68949?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow orchestration, RAG pipelines, API integrations.

What is the CVSS score for CVE-2025-68949?

CVE-2025-68949 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow orchestrationRAG pipelinesAPI integrations

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0051 LLM Prompt Injection
AML.T0053 AI Agent Tool Invocation
AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.3, A.6.2.4
NIST AI RMF: GOVERN 1.7, MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM06, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0.

Exploitation Scenario

An adversary identifies an internet-exposed n8n instance via Shodan or certificate transparency logs. The target organization whitelists 10.10.1.1 for webhook access to protect an AI agent workflow that queries an internal LLM and writes results to a database. The attacker controls 10.10.1.10 or any IP containing '10.10.1.1' as a substring — the partial string check passes. With a single crafted HTTP request, they trigger the full AI agent workflow: the LLM receives attacker-controlled input, processes it with production context, and the response is written to the database. No credentials, no brute force, no alert triggered.

Weaknesses (CWE)

CWE-134 Use of Externally-Controlled Format String Primary CWE-284 Improper Access Control Primary

CWE-134 — Use of Externally-Controlled Format String: The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

  • [Requirements] Choose a language that is not subject to this flaw.
  • [Implementation] Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
January 13, 2026
Last Modified
January 16, 2026
First Seen
January 13, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed