GHSA-W96V-GF22-CRWP

Vulnerability from github – Published: 2026-01-13 14:57 – Updated: 2026-01-13 21:40
VLAI?
Summary
n8n: Webhook Node IP Whitelist Bypass via Partial String Matching
Details

Impact

The Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring.

This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary.

Patches

This issue has been patched in version 2.2.0.

Users are advised to upgrade to v2.2.0 or later, where IP whitelist validation uses strict IP comparison logic rather than partial string matching.

Workarounds

Users unable to upgrade immediately should avoid relying solely on IP whitelisting for webhook security. Recommended mitigations include: - Adding authentication mechanisms such as shared secrets, HMAC signatures, or API keys. - Avoiding short or prefix-based whitelist entries. - Enforcing IP filtering at the network layer (for example, via reverse proxies or firewalls).

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.36.0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-183",
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T14:57:12Z",
    "nvd_published_at": "2026-01-13T19:16:15Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\nThe Webhook node\u2019s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring.\n\nThis issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary.\n\n## Patches\nThis issue has been patched in version 2.2.0.\n\nUsers are advised to upgrade to v2.2.0 or later, where IP whitelist validation uses strict IP comparison logic rather than partial string matching.\n\n## Workarounds\nUsers unable to upgrade immediately should avoid relying solely on IP whitelisting for webhook security. Recommended mitigations include:\n- Adding authentication mechanisms such as shared secrets, HMAC signatures, or API keys.\n- Avoiding short or prefix-based whitelist entries.\n- Enforcing IP filtering at the network layer (for example, via reverse proxies or firewalls).",
  "id": "GHSA-w96v-gf22-crwp",
  "modified": "2026-01-13T21:40:42Z",
  "published": "2026-01-13T14:57:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68949"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/issues/23399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/pull/23399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/n8n-io/n8n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "n8n: Webhook Node IP Whitelist Bypass via Partial String Matching"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.