- A critical identity-binding flaw in n8n‘s token exchange allowed account takeover when multiple external issuers were trusted.
- The vulnerability (
CVE-2026-59208) matched JWTs on thesubclaim alone, ignoringiss, enabling cross-issuer impersonation. - n8n patched the issue on June 24 in versions 2.27.4 and 2.28.1; the CVE went public on July 9 with a CVSS 4.0 score of 7.6 (high).
n8n, the workflow automation platform, patched a critical identity-binding bug in its Enterprise token exchange feature that could let an attacker take over any user account. The flaw, tracked as CVE-2026-59208, affected instances configured to trust more than one external JWT issuer.
The platform matched incoming tokens to local accounts using only the sub claim, completely ignoring the iss field. According to n8n’s advisory, a valid token from issuer A with a sub belonging to a user under issuer B logged you in as that user — no password needed. The bug was discovered by bearsyankees, a profile associated with AI security firm Strix, which detailed the flaw at the token-exchange flow.
Token exchange implements RFC 8693, allowing OEM partners to embed n8n without a second login. Trusted keys are set in N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, but the matching logic violated RFC 7519, which requires that a user identifier be the pair of iss and sub, not just sub alone.
The flaw only affects Enterprise instances with token exchange enabled and at least two external issuers configured. n8n says nothing else is impacted. The advisory does not specify how an attacker obtains a valid token, but the CVSS 4.0 vector notes attack requirements are present.
GitHub assigned a CVSS 4.0 score of 7.6 (high), while NVD rated it 6.8 on CVSS 3.1 (medium). CISA’s July 13 assessment found no evidence of exploitation, and no public proof-of-concept has emerged. Just two weeks prior, n8n patched CVE-2026-54305, another Enterprise-only flaw that allowed authenticated users to overwrite others’ OAuth tokens.
Patched versions are 2.27.4 and 2.28.1; all earlier releases and 2.28.0 are vulnerable. The fix is not mentioned in changelogs, so administrators relying on release notes may miss it. Until upgrading, n8n recommends reducing trusted issuers to one or disabling token exchange entirely.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
