VYPR
patchPublished Jul 16, 2026· 1 source

n8n Workflow Automation Platform Suffers Token Exchange Vulnerability

A critical flaw in n8n's Enterprise token exchange feature allowed attackers to log in as users from different identity providers by exploiting incorrect JWT issuer matching.

The workflow automation platform n8n has addressed a critical security vulnerability that could allow attackers to impersonate users on enterprise instances. The flaw, tracked as CVE-2026-59208, specifically impacts n8n Enterprise deployments configured to trust multiple external token issuers.

At the heart of the issue lies an incorrect implementation of token exchange, which n8n uses to allow OEM partners to embed the product without requiring users to log in again. When n8n receives a JSON Web Token (JWT) from an external issuer, it is supposed to verify the token's signature and then match it to a local user account. However, in instances with multiple trusted issuers, n8n was incorrectly matching JWTs based solely on the 'sub' (subject) claim, disregarding the 'iss' (issuer) claim.

This oversight meant that a valid token issued by one provider, containing a subject identifier that also exists under a different provider, could be used to authenticate as that user. Essentially, an attacker could obtain a token from issuer A and use it to log into an account associated with issuer B, bypassing the need for the user's actual credentials or any multi-factor authentication. The vulnerability was reported by the GitHub user bearsyankees, associated with Strix, a company developing an AI penetration testing agent.

The potential impact of CVE-2026-59208 is significant for affected deployments. The vulnerability is present only if the token exchange feature is enabled and the n8n instance is configured to trust at least two external issuers. While n8n states that other features are unaffected, the token exchange functionality is exclusive to the Enterprise version and is still marked as a preview feature in the documentation. This limits the exposed attack surface to specific OEM deployments that utilize this multi-issuer configuration.

Details regarding how an attacker might obtain a valid token are not fully elaborated in public advisories. However, the CVSS 4.0 score assigned by GitHub is 7.6 (High), indicating a significant risk. NVD's CVSS 3.1 score is 6.8 (Medium), with associated CWEs including CWE-287 (Improper Authentication) and CWE-346 (Origin Validation Error). As of mid-July 2026, no public proof-of-concept exploits were found, and CISA's assessment indicated no active exploitation.

Notably, this vulnerability follows another Enterprise-only flaw, CVE-2026-54305, patched just two weeks prior. That issue involved a missing ownership check that allowed authenticated users to overwrite or revoke other users' stored OAuth tokens. While a different technical mechanism, it highlights a pattern of security concerns within n8n's advanced Enterprise features.

n8n released fixes for CVE-2026-59208 in versions 2.27.4 and 2.28.1, with the initial fix landing on June 24, 2026. Users are advised to update to the latest stable version of n8n. For organizations unable to patch immediately, n8n suggests either reducing the number of trusted issuers to a single one or disabling the token exchange feature entirely. However, the advisory cautions that these are short-term measures and do not fully remediate the risk, though disabling the feature would, by n8n's own scope, render the instance unaffected.

The release notes for the patched versions did not explicitly mention the security fix, underscoring the importance of closely monitoring official advisories for critical updates. This incident serves as a reminder for organizations to maintain robust patch management processes and to carefully review security advisories, even when release notes might not immediately highlight the severity of addressed vulnerabilities.

Synthesized by Vypr AI