Skip to content
feed: live
>_ 0dayNews
CVE Record
[ MEDIUM ] CVE-2026-59208

n8n cross-issuer token exchange authentication bypass

n8n Enterprise instances with two or more trusted JWT issuers matched incoming tokens on `sub` alone, letting a valid token from one issuer log in as a same-`sub` user under another. Fixed in 2.27.4 and 2.28.1.

cat cve-2026-59208.json
Vendor
n8n
Product
n8n (versions below 2.27.4 and 2.28.0 on Enterprise multi-issuer token exchange)
CVSS
6.8
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-59208 is an authentication bypass in n8n’s token-exchange path (CWE-287 / CWE-346). On Enterprise deployments configured to trust more than one external JWT issuer via N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, n8n matched an incoming token to a local user account on the sub claim alone and ignored iss. A sub value is only guaranteed to be unique inside the issuer that minted it, so a valid token from issuer A carrying a sub belonging to a user under issuer B authenticated the request as that user without a password or MFA prompt.

Single-issuer deployments and deployments with token exchange disabled are not affected.

Affected: all n8n releases below 2.27.4, and 2.28.0. Fixed: 2.27.4, 2.28.1, and later. Current stable on npm at the time of the advisory is 2.30.6.

CVSS 4.0 in n8n’s GitHub advisory (GHSA-mq3m-f8x3-579w) is 7.6 (high). NVD’s CVSS 3.1 is 6.8 (medium). CISA’s SSVC record on 2026-07-13 lists no known public exploitation. Discovered by GitHub user bearsyankees and reported via Strix.

Interim mitigations documented in the advisory: reduce the trusted-issuer list to one via N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, or disable token exchange entirely. n8n notes both are incomplete — the fix is the upgrade.

The release notes for 2.27.4 and 2.28.1 do not mention the security content; the advisory is the only source that documents the fix. Researcher write-up: strix.ai/blog/n8n-cross-issuer-account-takeover.