CVE-2025-68949
- Source
- https://cve.org/CVERecord?id=CVE-2025-68949
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68949.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-68949
- Aliases
- Published
- 2026-01-13T18:43:20.189Z
- Modified
- 2026-03-01T02:55:26.804431Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- n8n has a Webhook Node IP Whitelist Bypass via Partial String Matching
- Details
-
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68949.json", "cwe_ids": [ "CWE-134", "CWE-284" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68949.json
- https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5
- https://github.com/n8n-io/n8n/issues/23399
- https://github.com/n8n-io/n8n/pull/23399
- https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp
- https://nvd.nist.gov/vuln/detail/CVE-2025-68949
Affected packages
Git / github.com/n8n-io/n8n
Affected versions
n8n@1.*
n8n@1.100.0
n8n@1.101.0
n8n@1.102.0
n8n@1.103.0
n8n@1.104.0
n8n@1.105.0
n8n@1.106.0
n8n@1.107.0
n8n@1.108.0
n8n@1.109.0
n8n@1.110.0
n8n@1.111.0
n8n@1.112.0
n8n@1.113.0
n8n@1.114.0
n8n@1.115.0
n8n@1.116.0
n8n@1.117.0
n8n@1.118.0
n8n@1.119.0
n8n@1.120.0
n8n@1.121.0
n8n@1.122.0
n8n@1.123.0
n8n@1.36.0
n8n@1.37.0
n8n@1.38.0
n8n@1.39.0
n8n@1.40.0
n8n@1.41.0
n8n@1.42.0
n8n@1.43.0
n8n@1.44.0
n8n@1.45.0
n8n@1.46.0
n8n@1.47.0
n8n@1.48.0
n8n@1.49.0
n8n@1.50.0
n8n@1.51.0
n8n@1.52.0
n8n@1.53.0
n8n@1.54.0
n8n@1.55.0
n8n@1.56.0
n8n@1.57.0
n8n@1.58.0
n8n@1.59.0
n8n@1.60.0
n8n@1.61.0
n8n@1.62.1
n8n@1.63.0
n8n@1.64.0
n8n@1.65.0
n8n@1.66.0
n8n@1.67.0
n8n@1.68.0
n8n@1.69.0
n8n@1.70.0
n8n@1.71.0
n8n@1.72.0
n8n@1.73.0
n8n@1.74.0
n8n@1.75.0
n8n@1.76.0
n8n@1.77.0
n8n@1.78.0
n8n@1.79.0
n8n@1.80.0
n8n@1.81.0
n8n@1.82.0
n8n@1.83.0
n8n@1.84.0
n8n@1.85.0
n8n@1.86.0
n8n@1.87.0
n8n@1.88.0
n8n@1.89.0
n8n@1.90.0
n8n@1.91.0
n8n@1.92.0
n8n@1.93.0
n8n@1.94.0
n8n@1.95.0
n8n@1.96.0
n8n@1.97.0
n8n@1.98.0
n8n@1.99.0
n8n@2.*
n8n@2.0.0
n8n@2.0.0-rc.0
n8n@2.0.0-rc.1
n8n@2.0.0-rc.2
n8n@2.0.0-rc.3
n8n@2.1.0