Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

The Hacker News by The Hacker News
July 16, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Swati KhandelwalJul 16, 2026Vulnerability / Web Security

n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss.

A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never came into it. n8n shipped the fix on June 24.

The flaw is tracked as CVE-2026-59208. The CVE record did not go public until July 9. n8n credits the report to the GitHub account bearsyankees, whose profile lists Strix, which makes an AI penetration testing agent.

Strix says it pointed out that the agent at the token-exchange flow and found the identity-binding bug there.

Two issuers, one account

Token exchange is n8n’s Enterprise route for OEM partners who embed the product, an RFC 8693 implementation that spares their users a second login screen.

The partner signs a short-lived JWT with its own key, n8n verifies it against a configured public key, matches the claims to a local account, and the user is in. Trusted keys go in N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, and the deployment docs still tag the feature as preview.

The token itself checks out. The matching is the bug. A sub value is only guaranteed to be unique inside the issuer that minted it. RFC 7519 asks that it be “scoped to be locally unique in the context of the issuer” or else globally unique. The identifier for a user is therefore the pair, iss plus sub.

n8n keyed on half of it. Nothing stops two issuers from emitting the same subject string, and when they do, both land on one n8n account.

How big a deal is this

The flaw reaches an instance only if token exchange is switched on and the config trusts at least two external issuers. n8n says nothing else is affected. Token exchange is Enterprise-only and still flagged as a preview, so the exposed set is small and specific: OEM deployments, where trusting a second issuer is a supported configuration.

What the advisory does not pin down is how an attacker gets the token. It says only that they can obtain one. The practical question is whether an ordinary user at a trusted issuer can influence the sub they receive. The public record does not answer it. GitHub’s CVSS 4.0 vector marks attack requirements as present and stops there.

GitHub assigned that vector. As the CNA here, it puts CVE-2026-59208 at 7.6 on CVSS 4.0, high. NVD puts the same bug at 6.8 on CVSS 3.1, medium, and has not issued a 4.0 assessment at all; its record carries CWE-287 and CWE-346. CISA’s July 13 SSVC assessment records exploitation as none, and The Hacker News found no public proof-of-concept in searches on July 16.

Two weeks before the June 24 fix, the maintainers patched CVE-2026-54305, another Enterprise-only flaw. It lets any authenticated user overwrite or revoke another user’s stored OAuth tokens through the Dynamic Credentials endpoints. That one was a missing ownership check, not an identity binding. Different bug, same surface.

The Hacker News has reached out to n8n for confirmation on the scope and impact of CVE-2026-59208 and will update this story with any response.

Patch or cut the issuer list

CVE-2026-59208 affects every n8n release below 2.27.4 and version 2.28.0. The fix first landed in 2.27.4 and 2.28.1. Those are the floor. On July 16, n8n’s npm package carried 2.30.6 on both its latest and stable tags. It ships a new minor most weeks by its own account, so check the tag and take the newest stable build your deployment supports.

If patching has to wait, work out what you are running: N8N_TOKEN_EXCHANGE_TRUSTED_KEYS holds the trusted signing keys, and a separate preview flag controls whether token exchange is on at all. Cut back to a single trusted issuer, or turn the feature off.

The advisory calls both short-term measures and says neither fully remediates the risk. That is boilerplate, identical in at least three other n8n advisories, including the June 10 one. By n8n’s own scope statement, an instance with token exchange off is not affected.

Neither release note mentions the fix. The Hacker News checked both: between them, the 2.27.4 and 2.28.1 changelogs cover a Python import fix, a Google Ads node upgrade, an AI workflow check, and a node-building change, and nothing about identity.

The advisory is where this one lives. If your upgrade decisions run on changelogs, this is the kind of fix that slips past.



Source link

The Hacker News

The Hacker News

Next Post
Sen. Warren says Trump’s CFPB overhaul has cost Americans .5 billion

Sen. Warren says Trump's CFPB overhaul has cost Americans $26.5 billion

Recommended.

Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam

Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam

September 26, 2025
Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server

Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server

May 14, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio