n8n's workflow automation platform experienced a security flaw allowing attackers to log in as users from different issuers. The bug allowed valid tokens from one issuer to erroneously authenticate users from another, impacting Enterprise deployments that trust multiple external token issuers.
n8n, a workflow automation platform, had a token exchange flaw allowing authentication issues when multiple external token issuers were trusted. The platform matched incoming JWTs to users based solely on the 'sub' claim, ignoring the 'iss' claim. This resulted in users being logged in as someone else, using tokens from different issuers without needing the correct password.
This vulnerability, tracked as CVE-2026-59208, affects instances of n8n configured for token exchange with at least two trusted issuers. The issue was reported by a GitHub user who highlighted the identity-binding bug during a penetration test. n8n addressed the problem with a patch released on June 24, 2023, but the CVE details were made public on July 9.
The flaw primarily impacts OEM deployments, as token exchange is an Enterprise-only feature, and current configurations that utilize it are still in preview. The practical implications depend on how a malicious actor could obtain a valid token and whether a user can influence the 'sub' value they receive. The advisory does not clarify these details, leaving some uncertainty regarding exploitation.
The vulnerability has been rated with a CVSS score of 7.6 by GitHub, indicating a high severity level, while NVD has rated it at 6.8, categorizing it as medium. This discrepancy highlights differing assessments of the exploitability and potential impact of the bug.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
n8n's workflow automation platform experienced a security flaw allowing attackers to log in as users from different issuers. The bug allowed valid tokens from one issuer to erroneously authenticate users from another, impacting Enterprise deployments that trust multiple external token issuers.