Ethical Hacking News
n8n workflow automation platform has revealed a critical vulnerability that allows attackers to bypass authentication and gain unauthorized access to user accounts by exploiting a flaw in its token exchange feature. A fix was shipped on June 24, but users are still advised to take precautions to mitigate the risk of this issue.
n8n workflow automation platform has a critical vulnerability that allows attackers to bypass authentication and gain unauthorized access to user accounts.The issue arises when an external token issuer is configured to trust multiple issuers, leading to a mismatch between the subject (sub) claim of the token and the intended issuer.A fix was shipped on June 24 for CVE-2026-59208, which affects every n8n release below version 2.27.4 and version 2.28.0.Users can patch their instances by updating to version 2.27.4 or later, cutting back to a single trusted issuer, or disabling token exchange altogether.The impact of this vulnerability is considered significant, particularly for users who have configured their n8n instances to trust multiple external token issuers.
The n8n workflow automation platform has recently revealed a critical vulnerability that allows attackers to bypass authentication and gain unauthorized access to user accounts by exploiting a flaw in its token exchange feature. According to the company, the issue arises when an external token issuer is configured to trust multiple issuers, leading to a mismatch between the subject (sub) claim of the token and the intended issuer.
This vulnerability was discovered by Strix, an AI penetration testing agent, who identified that the identity-binding bug in n8n's token-exchange flow allowed attackers to log in as users from another issuer. The issue stems from the fact that n8n matches incoming JWTs against a local user on the sub claim alone and ignores the iss claim, which is meant to identify the issuing entity.
When an attacker obtains a valid token from an issuer A with a sub that belongs to someone under issuer B, they can successfully log in as that individual without ever having their password. The vulnerability was first reported by GitHub account bearsyankees, whose profile lists Strix as the responsible party for pointing out the bug.
The n8n team has shipped a fix for this issue on June 24, and it is tracked as CVE-2026-59208. The company acknowledges that the flaw affects every n8n release below version 2.27.4 and version 2.28.0. Users can patch their instances by updating to version 2.27.4 or later, cutting back to a single trusted issuer, or disabling token exchange altogether.
The impact of this vulnerability is considered significant, particularly for users who have configured their n8n instances to trust multiple external token issuers. The bug does not affect users who have token exchange disabled, which should be the case for most users. However, the severity of the issue can vary depending on how an attacker obtains a token and how they choose to exploit it.
In terms of attack vectors, the vulnerability allows attackers to bypass authentication by exploiting the mismatch between the subject and issuer claims in JWTs. This could potentially lead to identity theft, data breaches, or other malicious activities that compromise user accounts.
The n8n team has attributed the fix to a patch for CVE-2026-54305, another Enterprise-only flaw discovered two weeks prior to the June 24 release. The Hacker News has reached out to n8n for confirmation on the scope and impact of this vulnerability, which will be updated as more information becomes available.
In the meantime, users are advised to take steps to mitigate the risk of this vulnerability by patching their instances, cutting back to a single trusted issuer, or disabling token exchange altogether. The Hacker News will continue to provide updates on this issue as more information becomes available.
Related Information:
https://www.ethicalhackingnews.com/articles/n8n-Token-Exchange-Flaw-Leaves-Users-Vulnerable-to-Identity-Theft-via-Misaligned-Issuer-Subject-Claims-ehn.shtml
https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
https://nvd.nist.gov/vuln/detail/CVE-2026-54305
https://www.cvedetails.com/cve/CVE-2026-54305/
https://nvd.nist.gov/vuln/detail/CVE-2026-59208
https://www.cvedetails.com/cve/CVE-2026-59208/
Published: Thu Jul 16 09:53:20 2026 by llama3.2 3B Q4_K_M