n8n cross-issuer token exchange authentication bypass
n8n Enterprise instances with two or more trusted JWT issuers matched incoming tokens on `sub` alone, letting a valid token from one issuer log in as a same-`sub` user under another. Fixed in 2.27.4 and 2.28.1.
- Vendor
- n8n
- Product
- n8n (versions below 2.27.4 and 2.28.0 on Enterprise multi-issuer token exchange)
- CVSS
- 6.8
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
CVE-2026-59208 is an authentication bypass in n8n’s token-exchange path (CWE-287 / CWE-346). On Enterprise deployments configured to trust more than one external JWT issuer via N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, n8n matched an incoming token to a local user account on the sub claim alone and ignored iss. A sub value is only guaranteed to be unique inside the issuer that minted it, so a valid token from issuer A carrying a sub belonging to a user under issuer B authenticated the request as that user without a password or MFA prompt.
Single-issuer deployments and deployments with token exchange disabled are not affected.
Affected: all n8n releases below 2.27.4, and 2.28.0. Fixed: 2.27.4, 2.28.1, and later. Current stable on npm at the time of the advisory is 2.30.6.
CVSS 4.0 in n8n’s GitHub advisory (GHSA-mq3m-f8x3-579w) is 7.6 (high). NVD’s CVSS 3.1 is 6.8 (medium). CISA’s SSVC record on 2026-07-13 lists no known public exploitation. Discovered by GitHub user bearsyankees and reported via Strix.
Interim mitigations documented in the advisory: reduce the trusted-issuer list to one via N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, or disable token exchange entirely. n8n notes both are incomplete — the fix is the upgrade.
The release notes for 2.27.4 and 2.28.1 do not mention the security content; the advisory is the only source that documents the fix. Researcher write-up: strix.ai/blog/n8n-cross-issuer-account-takeover.
