[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl6UL_5w-FOplP6wN2tRpmETkBk-1Pzk0EcldUKqOduM":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"361640fe-92bc-4c20-8cf8-03a49d07cb6e","n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer","n8n-token-exchange-flaw-could-let-attackers-log-in-as-users-from-another-issuer-ae0348","n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss. A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never","n8n's Enterprise token exchange feature contained an authentication bypass vulnerability (CVE-2026-59208) where JWT validation only checked the 'sub' claim while ignoring the 'iss' (issuer) claim. On instances configured to trust multiple external token issuers, an attacker with a valid token from issuer A could log in as a user from issuer B if they shared the same subject identifier. The flaw affects n8n versions below 2.27.4 and 2.28.0, with patches available in 2.27.4+ and 2.28.1+.","n8n token exchange flaw allows attackers to log in as users from another issuer via JWT sub claim mismatch.","n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer Swati KhandelwalJul 16, 2026Vulnerability \u002F Web Security n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss. A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never came into it. n8n shipped the fix on June 24. The flaw is tracked as CVE-2026-59208. The CVE record did not go public until July 9. n8n credits the report to the GitHub account bearsyankees, whose profile lists Strix, which makes an AI penetration testing agent. Strix says it pointed out that the agent at the token-exchange flow and found the identity-binding bug there. Two issuers, one account Token exchange is n8n's Enterprise route for OEM partners who embed the product, an RFC 8693 implementation that spares their users a second login screen. The partner signs a short-lived JWT with its own key, n8n verifies it against a configured public key, matches the claims to a local account, and the user is in. Trusted keys go in N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, and the deployment docs still tag the feature as preview. The token itself checks out. The matching is the bug. A sub value is only guaranteed to be unique inside the issuer that minted it. RFC 7519 asks that it be \"scoped to be locally unique in the context of the issuer\" or else globally unique. The identifier for a user is therefore the pair, iss plus sub. n8n keyed on half of it. Nothing stops two issuers from emitting the same subject string, and when they do, both land on one n8n account. How big a deal is this The flaw reaches an instance only if token exchange is switched on and the config trusts at least two external issuers. n8n says nothing else is affected. Token exchange is Enterprise-only and still flagged as a preview, so the exposed set is small and specific: OEM deployments, where trusting a second issuer is a supported configuration. What the advisory does not pin down is how an attacker gets the token. It says only that they can obtain one. The practical question is whether an ordinary user at a trusted issuer can influence the sub they receive. The public record does not answer it. GitHub's CVSS 4.0 vector marks attack requirements as present and stops there. GitHub assigned that vector. As the CNA here, it puts CVE-2026-59208 at 7.6 on CVSS 4.0, high. NVD puts the same bug at 6.8 on CVSS 3.1, medium, and has not issued a 4.0 assessment at all; its record carries CWE-287 and CWE-346. CISA's July 13 SSVC assessment records exploitation as none, and The Hacker News found no public proof-of-concept in searches on July 16. Two weeks before the June 24 fix, the maintainers patched CVE-2026-54305, another Enterprise-only flaw. It lets any authenticated user overwrite or revoke another user's stored OAuth tokens through the Dynamic Credentials endpoints. That one was a missing ownership check, not an identity binding. Different bug, same surface. The Hacker News has reached out to n8n for confirmation on the scope and impact of CVE-2026-59208 and will update this story with any response. Patch or cut the issuer list CVE-2026-59208 affects every n8n release below 2.27.4 and version 2.28.0. The fix first landed in 2.27.4 and 2.28.1. Those are the floor. On July 16, n8n's npm package carried 2.30.6 on both its latest and stable tags. It ships a new minor most weeks by its own account, so check the tag and take the newest stable build your deployment supports. If patching has to wait, work out what you are running: N8N_TOKEN_EXCHANGE_TRUSTED_KEYS holds the trusted signing keys, and a separate preview flag controls whether token exchange is on at all. Cut back to a single trusted issuer, or turn the feature off. The advisory calls both short-term measures and says neither fully remediates the risk. That is boilerplate, identical in at least three other n8n advisories, including the June 10 one. By n8n's own scope statement, an instance with token exchange off is not affected. Neither release note mentions the fix. The Hacker News checked both: between them, the 2.27.4 and 2.28.1 changelogs cover a Python import fix, a Google Ads node upgrade, an AI workflow check, and a node-building change, and nothing about identity. The advisory is where this one lives. If your upgrade decisions run on changelogs, this is the kind of fix that slips past. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Access Control, account takeover, API Security, Application Security, Authentication, enterprise security, Identity Security, Security patch, Vulnerability, Web Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP\u002F3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New \"Bad Epoll\" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fn8n-token-exchange-flaw-could-let.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEj1Pvezsft8WXzYy1Lw3zKDZrkf0TNZfj95rzTnuQgzbJuztRDNDFK35ahO9UfhNJOicjjuzyZGFCtC_idBl8vgNdw4kzfeYFo6LwUur66S5qUTO2Bl3WVLwCDWoDTnw4dlZdj_ZQ1T2JcG1dWfJeoO3WDZs94EVm9z0hZ8VPL36KDpaAmw7fH9hSWSSaw\u002Fs1600\u002Fn8n-main.jpg","2026-07-16T13:33:25+00:00","2026-07-16T16:00:13.362629+00:00",8,[18,21,23,26,29,31],{"name":19,"type":20},"n8n","product",{"name":19,"type":22},"vendor",{"name":24,"type":25},"Strix","threat_actor",{"name":27,"type":28},"JWT","technology",{"name":30,"type":28},"OAuth",{"name":32,"type":28},"RFC 8693","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",[45,49],{"type":46,"value":47,"context":48},"cve","CVE-2026-59208","JWT identity binding vulnerability in n8n token exchange allowing cross-issuer account takeover",{"type":46,"value":50,"context":51},"CVE-2026-54305","Related n8n Enterprise vulnerability allowing authenticated users to revoke\u002Foverwrite other users' OAuth tokens"]