{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-68949","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-12-26T16:36:34.398Z","datePublished":"2026-01-13T18:43:20.189Z","dateUpdated":"2026-01-13T19:00:47.909Z"},"containers":{"cna":{"title":"n8n has a Webhook Node IP Whitelist Bypass via Partial String Matching","problemTypes":[{"descriptions":[{"cweId":"CWE-134","lang":"en","description":"CWE-134: Use of Externally-Controlled Format String","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-284","lang":"en","description":"CWE-284: Improper Access Control","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp","tags":["x_refsource_CONFIRM"],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp"},{"name":"https://github.com/n8n-io/n8n/issues/23399","tags":["x_refsource_MISC"],"url":"https://github.com/n8n-io/n8n/issues/23399"},{"name":"https://github.com/n8n-io/n8n/pull/23399","tags":["x_refsource_MISC"],"url":"https://github.com/n8n-io/n8n/pull/23399"},{"name":"https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5","tags":["x_refsource_MISC"],"url":"https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5"}],"affected":[{"vendor":"n8n-io","product":"n8n","versions":[{"version":">= 1.36.0, < 2.2.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-01-13T18:43:20.189Z"},"descriptions":[{"lang":"en","value":"n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0."}],"source":{"advisory":"GHSA-w96v-gf22-crwp","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-13T18:59:50.889847Z","id":"CVE-2025-68949","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-13T19:00:47.909Z"}}]}}