The vulnerability identified as CVE-2025-68949 affects the n8n open source workflow automation platform, specifically versions from 1.36.0 up to but not including 2.2.0. The issue lies in the Webhook node's IP whitelist validation mechanism, which performs partial string matching instead of exact IP address comparison. This means that if an attacker’s IP address contains the configured whitelist IP as a substring, the request is erroneously accepted. For example, if the whitelist entry is 192.168.1.10, an attacker with IP 192.168.1.100 could bypass the whitelist check. This flaw applies to both IPv4 and IPv6 addresses. The vulnerability is classified under CWE-134 (Use of Externally-Controlled Format String) and CWE-284 (Improper Access Control), indicating that improper validation leads to unauthorized access. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. Although the impact on confidentiality is limited, unauthorized webhook access could expose sensitive workflow triggers or data. The vulnerability has a CVSS v3.1 base score of 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, no user interaction, and limited confidentiality impact. There are no known exploits in the wild as of the publication date. The issue is resolved in n8n version 2.2.0 by correcting the IP whitelist validation to perform exact IP matching. Organizations using affected versions should upgrade promptly to mitigate risk.

For European organizations deploying n8n versions between 1.36.0 and 2.2.0, this vulnerability can lead to unauthorized access to webhook endpoints that were intended to be restricted by IP whitelisting. This undermines confidentiality by potentially exposing sensitive workflow triggers or data to unauthorized external actors. While the vulnerability does not affect data integrity or system availability directly, unauthorized webhook invocation could trigger unintended workflows, leading to operational disruptions or data leakage. Organizations relying on IP-based access controls for webhook security are particularly at risk. Given the network-based attack vector and lack of required authentication, attackers can exploit this vulnerability remotely with relative ease. This risk is heightened in environments where n8n workflows integrate with critical business processes or sensitive data handling. The absence of known exploits in the wild reduces immediate threat but does not eliminate risk, especially as threat actors may develop exploits. Failure to patch could lead to compliance issues under GDPR if unauthorized data access occurs. Therefore, European entities should consider this vulnerability a moderate threat to their automation security posture.

1. Upgrade all n8n instances to version 2.2.0 or later, where the IP whitelist validation issue is fixed. 2. Until upgrade is possible, implement additional network-level controls such as firewall rules or VPN restrictions to limit webhook access to trusted IPs. 3. Review and tighten webhook security configurations, avoiding sole reliance on IP whitelisting; consider adding authentication tokens or mutual TLS where supported. 4. Monitor webhook access logs for unusual IP addresses or patterns that may indicate attempted bypass. 5. Conduct internal audits of workflows triggered by webhooks to identify any sensitive operations that could be abused. 6. Educate development and operations teams about the limitations of partial IP matching and the importance of exact validation. 7. If feasible, isolate critical webhook endpoints behind additional security layers such as API gateways or reverse proxies enforcing strict access controls. 8. Maintain up-to-date incident response plans to quickly address any detected unauthorized webhook activity. These measures collectively reduce the risk of exploitation beyond the basic patch application.