BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

n8n bug lets one token claim login into wrong user account

Critical n8n identity-binding flaw CVE-2026-59208 allowed account takeover via cross-issuer impersonation ignoring JWT issuer claim

  • A critical identity-binding flaw in n8n‘s token exchange allowed account takeover when multiple external issuers were trusted.
  • The vulnerability (CVE-2026-59208) matched JWTs on the sub claim alone, ignoring iss, enabling cross-issuer impersonation.
  • n8n patched the issue on June 24 in versions 2.27.4 and 2.28.1; the CVE went public on July 9 with a CVSS 4.0 score of 7.6 (high).

n8n, the workflow automation platform, patched a critical identity-binding bug in its Enterprise token exchange feature that could let an attacker take over any user account. The flaw, tracked as CVE-2026-59208, affected instances configured to trust more than one external JWT issuer.

- Advertisement -

The platform matched incoming tokens to local accounts using only the sub claim, completely ignoring the iss field. According to n8n’s advisory, a valid token from issuer A with a sub belonging to a user under issuer B logged you in as that user — no password needed. The bug was discovered by bearsyankees, a profile associated with AI security firm Strix, which detailed the flaw at the token-exchange flow.

Token exchange implements RFC 8693, allowing OEM partners to embed n8n without a second login. Trusted keys are set in N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, but the matching logic violated RFC 7519, which requires that a user identifier be the pair of iss and sub, not just sub alone.

The flaw only affects Enterprise instances with token exchange enabled and at least two external issuers configured. n8n says nothing else is impacted. The advisory does not specify how an attacker obtains a valid token, but the CVSS 4.0 vector notes attack requirements are present.

GitHub assigned a CVSS 4.0 score of 7.6 (high), while NVD rated it 6.8 on CVSS 3.1 (medium). CISA’s July 13 assessment found no evidence of exploitation, and no public proof-of-concept has emerged. Just two weeks prior, n8n patched CVE-2026-54305, another Enterprise-only flaw that allowed authenticated users to overwrite others’ OAuth tokens.

- Advertisement -

Patched versions are 2.27.4 and 2.28.1; all earlier releases and 2.28.0 are vulnerable. The fix is not mentioned in changelogs, so administrators relying on release notes may miss it. Until upgrading, n8n recommends reducing trusted issuers to one or disabling token exchange entirely.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Analysts, traders: Stripe-Advent offer undervalues PayPal

A reported $53.4 billion takeover offer from Stripe and Advent International at $60.50 per...

Robinhood Chain’s memecoin boom fizzles as tokens die and launchpads pause

Robinhood Chain launched on July 1 for real-world assets, but its first week was...

BitPay secures MiCA license, expands EU stablecoin payments

BitPay secured a license as a crypto-asset service provider from the Dutch Authority for...

SpaceX 2036 valuation forecast: $470B to $40T

SpaceX 10-year valuation forecasts range from approximately $470 billion to $40 trillion, driven by...

Global Banking Regulators Set New Cryptoasset Risk Rules

Banking supervisors worldwide now treat cryptoasset risk as an explicit supervisory expectation across AML/CFT...

Must Read

What Is Bcrypt Password Hashing Function?

KEY TAKEAWAYSBcrypt is a password hashing function that transforms plain passwords into unique alphanumeric sequences.It is a one-way process, ensuring that passwords cannot be...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading