CVE-2025-68949 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

Upgrade n8n to 2.2.0 immediately if you rely on IP whitelisting for webhook access control. The partial string matching bug means an attacker at IP 10.0.1.100 bypasses a whitelist entry for 10.0.1.1 — zero credentials, zero sophistication required. Do not treat IP whitelisting as a sole access control on AI agent webhook triggers; add API key or mTLS authentication as a second layer regardless of this patch.

Risk Assessment

CVSS 5.3 understates practical risk in AI agent deployments. AV:N/AC:L/PR:N/UI:N means any network-reachable attacker can attempt exploitation with no setup. The blast radius depends entirely on what workflows the webhook triggers: in n8n-orchestrated AI agent pipelines, a bypassed webhook can initiate LLM calls, read vector databases, invoke external APIs, or write to business systems. Organizations using n8n as an AI orchestration layer should treat this as high-priority — the underlying data exposure risk is determined by workflow permissions, not the CVSS base score.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

Recommended Action

5 steps

PATCH

Upgrade n8n to 2.2.0 immediately — fix is available now.
AUDIT

Enumerate all Webhook nodes with IP whitelisting configured; treat the vulnerability window (1.36.0+) as a potential unauthorized access period and review execution logs.
HARDEN

Add API key authentication or HTTP Basic Auth to all externally-facing webhooks — IP filtering should be a supplementary control, never the sole gate.
NETWORK

Deploy n8n behind a reverse proxy or WAF with network-level IP enforcement as an independent control layer.
DETECT

Alert on webhook executions from unexpected source IPs; baseline normal trigger patterns for AI agent workflows.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0051 - LLM Prompt Injection AML.T0053 - AI Agent Tool Invocation AML.T0108 - AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Access Control for AI Systems A.6.2.4 - AI system access control

NIST AI RMF

GOVERN 1.7 - Processes and procedures are in place for decommissioning and phase out of AI systems MANAGE 2.2 - Mechanisms are in place to inventory AI risks MANAGE-2.2 - Mechanisms are in place to respond to and recover from AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-68949?

Upgrade n8n to 2.2.0 immediately if you rely on IP whitelisting for webhook access control. The partial string matching bug means an attacker at IP 10.0.1.100 bypasses a whitelist entry for 10.0.1.1 — zero credentials, zero sophistication required. Do not treat IP whitelisting as a sole access control on AI agent webhook triggers; add API key or mTLS authentication as a second layer regardless of this patch.

Is CVE-2025-68949 actively exploited?

No confirmed active exploitation of CVE-2025-68949 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-68949?

1. PATCH: Upgrade n8n to 2.2.0 immediately — fix is available now. 2. AUDIT: Enumerate all Webhook nodes with IP whitelisting configured; treat the vulnerability window (1.36.0+) as a potential unauthorized access period and review execution logs. 3. HARDEN: Add API key authentication or HTTP Basic Auth to all externally-facing webhooks — IP filtering should be a supplementary control, never the sole gate. 4. NETWORK: Deploy n8n behind a reverse proxy or WAF with network-level IP enforcement as an independent control layer. 5. DETECT: Alert on webhook executions from unexpected source IPs; baseline normal trigger patterns for AI agent workflows.

What systems are affected by CVE-2025-68949?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow orchestration, RAG pipelines, API integrations.

What is the CVSS score for CVE-2025-68949?

CVE-2025-68949 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0.

Exploitation Scenario

An adversary identifies an internet-exposed n8n instance via Shodan or certificate transparency logs. The target organization whitelists 10.10.1.1 for webhook access to protect an AI agent workflow that queries an internal LLM and writes results to a database. The attacker controls 10.10.1.10 or any IP containing '10.10.1.1' as a substring — the partial string check passes. With a single crafted HTTP request, they trigger the full AI agent workflow: the LLM receives attacker-controlled input, processes it with production context, and the response is written to the database. No credentials, no brute force, no alert triggered.