CVE-2025-68949 Overview
CVE-2025-68949 is an authorization bypass vulnerability in n8n, an open source workflow automation platform. The vulnerability exists in the Webhook node's IP whitelist validation mechanism, which performs partial string matching instead of exact IP comparison. This flawed implementation allows attackers to bypass IP-based access controls if their IP address merely contains a configured whitelist entry as a substring.
Critical Impact
Attackers with non-whitelisted IP addresses can bypass webhook access restrictions by using IP addresses that share a partial prefix with trusted addresses, undermining IP-based security boundaries.
Affected Products
- n8n versions 1.36.0 through 2.1.x
- n8n Webhook Node component
- Both IPv4 and IPv6 address configurations
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68949 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68949
Vulnerability Analysis
This vulnerability stems from an improper input validation issue in the Webhook node's IP whitelist feature. When workflow editors configure IP-based access controls to restrict which source addresses can trigger webhooks, the validation logic uses substring matching rather than exact IP comparison.
For example, if an administrator configures the whitelist to allow 192.168.1.1, the flawed validation would also accept requests from IP addresses like 192.168.1.10, 192.168.1.100, or any other address containing 192.168.1.1 as a substring. This applies to both IPv4 and IPv6 address formats.
The attack requires network-level access to reach the n8n webhook endpoint. An attacker who can identify or infer whitelisted IP addresses could craft requests from an IP address that contains the trusted address as a substring, effectively bypassing the intended access control mechanism.
Root Cause
The root cause is classified under CWE-134 (Use of Externally-Controlled Format String), though the specific issue relates to improper string comparison logic in the IP whitelist validation routine. The implementation uses a partial string matching method (such as includes() or indexOf()) rather than an exact equality check or proper CIDR notation parsing for IP address validation.
Attack Vector
The attack vector is network-based. An attacker must:
- Identify a target n8n instance with webhook endpoints protected by IP whitelisting
- Determine or guess at least a portion of the whitelisted IP address(es)
- Originate requests from an IP address that contains the whitelisted address as a substring
- Successfully trigger webhook executions that should have been blocked
The vulnerability enables unauthorized access to webhook-triggered workflows, potentially leading to unauthorized data access, workflow manipulation, or abuse of automated processes.
Detection Methods for CVE-2025-68949
Indicators of Compromise
- Webhook requests originating from IP addresses not explicitly listed in the whitelist configuration
- Access logs showing successful webhook executions from IP addresses that partially match (but don't exactly match) whitelisted entries
- Unexpected workflow executions triggered by external sources
- Patterns of requests from IP addresses with similar prefixes to whitelisted addresses
Detection Strategies
- Review n8n access logs for webhook requests from unexpected IP addresses that share common prefixes with whitelisted entries
- Implement network-level logging to correlate source IPs with expected whitelist configurations
- Monitor for unauthorized workflow executions that may indicate bypass of IP restrictions
- Audit webhook configurations to identify instances relying solely on IP whitelisting for access control
Monitoring Recommendations
- Enable detailed logging for all webhook invocations including source IP addresses
- Implement alerting for webhook requests from IP addresses not in the explicit whitelist
- Consider deploying network intrusion detection rules to flag suspicious IP patterns targeting n8n webhooks
- Regularly audit workflow execution logs for anomalous activity patterns
How to Mitigate CVE-2025-68949
Immediate Actions Required
- Upgrade n8n to version 2.2.0 or later immediately
- Review all webhook configurations that utilize IP whitelisting for access control
- Audit recent webhook execution logs to identify potential exploitation attempts
- Consider implementing additional authentication mechanisms beyond IP whitelisting
Patch Information
The vulnerability is fixed in n8n version 2.2.0. The fix modifies the IP whitelist validation to perform exact IP comparison rather than partial string matching. For detailed technical information about the patch, refer to the GitHub Commit and GitHub Security Advisory.
Workarounds
- Implement additional authentication mechanisms (API keys, OAuth tokens) for webhook endpoints instead of relying solely on IP whitelisting
- Deploy a reverse proxy or web application firewall (WAF) in front of n8n to enforce strict IP-based access controls at the network layer
- Use network segmentation to limit which source networks can reach n8n webhook endpoints
- Consider temporarily disabling IP whitelist-protected webhooks until the upgrade can be completed
# Example: Deploy n8n behind nginx with strict IP filtering
# nginx.conf snippet for webhook endpoint protection
location /webhook/ {
# Strict IP allowlist - exact matches only
allow 192.168.1.1;
allow 10.0.0.50;
deny all;
proxy_pass http://localhost:5678;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
