n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html

Publish Date: 2026-07-16 09:33:00

Source Domain: thehackernews.com

Swati KhandelwalJul 16, 2026Vulnerability / Web Security

n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss.

A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never came into it. n8n shipped the fix on June 24.

The flaw is tracked as CVE-2026-59208. The CVE record did not go public until July 9. n8n credits the report to the GitHub account bearsyankees, whose profile lists Strix, which makes an AI penetration testing agent.

Strix says it pointed out that the agent at the token-exchange flow and found the identity-binding bug there.

Two issuers, one account

Token exchange is n8n’s Enterprise route for OEM partners who embed the product, an RFC 8693 implementation that spares their users a second login screen.

The partner signs a short-lived JWT with its own key, n8n verifies it against a configured public key, matches the claims to a local account, and the user is in. Trusted keys go in N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, and the deployment docs still tag the feature as preview.

The token itself checks out. The matching is the bug. A sub value is only guaranteed to be unique inside the issuer that minted it. RFC 7519 asks that it be “scoped to be locally unique in the context of the issuer” or else globally unique. The identifier for a user is therefore the pair, iss plus sub.

n8n keyed on half of it. Nothing stops two issuers from emitting the same subject string, and when they do, both land on one n8n account.

How big a deal is this

The flaw reaches an instance only if token exchange is switched on and the config trusts at least two external issuers. n8n says nothing else is affected. Token exchange is Enterprise-only and still flagged as a preview, so the exposed…

Source