Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-68949

Good to know:

icon
icon

Date: January 13, 2026

n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0.

Severity Score

Related Resources (7)

https://nvd.nist.gov/vuln/detail/CVE-2025-68949
https://github.com/n8n-io/n8n/pull/23399
https://github.com/n8n-io/n8n/issues/23399
https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5
https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp
https://github.com/n8n-io/n8n
https://www.mend.io/vulnerability-database/CVE-2025-68949

Severity Score

Weakness Type (CWE)

Use of Externally-Controlled Format String

CWE-134

Improper Access Control

CWE-284

Permissive List of Allowed Inputs

CWE-183

Top Fix

icon

Upgrade Version

Upgrade to version n8n - 2.2.0;https://github.com/n8n-io/n8n.git - n8n@2.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us