{"id":290279,"date":"2026-07-16T09:33:00","date_gmt":"2026-07-16T13:33:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/16\/n8n-token-exchange-flaw-could-let-attackers-log-in-as-users-from-another-issuer\/"},"modified":"2026-07-16T13:25:08","modified_gmt":"2026-07-16T17:25:08","slug":"n8n-token-exchange-flaw-could-let-attackers-log-in-as-users-from-another-issuer","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/16\/n8n-token-exchange-flaw-could-let-attackers-log-in-as-users-from-another-issuer\/","title":{"rendered":"n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/n8n-token-exchange-flaw-could-let.html\">n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/n8n-token-exchange-flaw-could-let.html\">https:\/\/thehackernews.com\/2026\/07\/n8n-token-exchange-flaw-could-let.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-16 09:33:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Swati Khandelwal<\/span>\ue802<span class=\"author\">Jul 16, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Web Security<\/span><\/p>\n<p>n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the\u00a0sub\u00a0claim alone and ignored\u00a0iss.<\/p>\n<p>A valid token from issuer A carrying a\u00a0sub\u00a0that belongs to someone under issuer B logged you in as them. Their password never came into it. n8n shipped the fix on June 24.<\/p>\n<p>The flaw is tracked as\u00a0CVE-2026-59208. The CVE record did not go public until July 9. n8n\u00a0credits the report\u00a0to the GitHub account bearsyankees, whose profile lists Strix, which makes an AI penetration testing agent.<\/p>\n<p>Strix\u00a0says\u00a0it pointed out that the agent at the token-exchange flow and found the identity-binding bug there.<\/p>\n<h2>Two issuers, one account<\/h2>\n<p>Token exchange is n8n&#8217;s Enterprise route for\u00a0OEM partners who embed the product, an\u00a0RFC 8693 implementation\u00a0that spares their users a second login screen.<\/p>\n<p>The partner signs a short-lived JWT with its own key, n8n verifies it against a configured public key, matches the claims to a local account, and the user is in. Trusted keys go in N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, and the\u00a0deployment docs\u00a0still tag the feature as preview.<\/p>\n<p>The token itself checks out. The matching is the bug. A\u00a0sub\u00a0value is only guaranteed to be unique inside the issuer that minted it.\u00a0RFC 7519\u00a0asks that it be &#8220;scoped to be locally unique in the context of the issuer&#8221; or else globally unique. The identifier for a user is therefore\u00a0the pair,\u00a0iss\u00a0plus\u00a0sub.<\/p>\n<p>n8n keyed on half of it. Nothing stops two issuers from emitting the same subject string, and when they do, both land on one n8n account.<\/p>\n<h2>How big a deal is this<\/h2>\n<p>The flaw reaches an instance only if token exchange is switched on and the config trusts at least two external issuers.\u00a0n8n says\u00a0nothing else is affected. Token exchange is Enterprise-only and still flagged as a preview, so the exposed&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/n8n-token-exchange-flaw-could-let.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer https:\/\/thehackernews.com\/2026\/07\/n8n-token-exchange-flaw-could-let.html&#8230;<\/p>\n","protected":false},"author":1,"featured_media":290280,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj1Pvezsft8WXzYy1Lw3zKDZrkf0TNZfj95rzTnuQgzbJuztRDNDFK35ahO9UfhNJOicjjuzyZGFCtC_idBl8vgNdw4kzfeYFo6LwUur66S5qUTO2Bl3WVLwCDWoDTnw4dlZdj_ZQ1T2JcG1dWfJeoO3WDZs94EVm9z0hZ8VPL36KDpaAmw7fH9hSWSSaw\/s1600\/n8n-main.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,27],"class_list":["post-290279","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/290279"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=290279"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/290279\/revisions"}],"predecessor-version":[{"id":290281,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/290279\/revisions\/290281"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/290280"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=290279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=290279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=290279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}