CVE-2026-59208 in n8n
Summary
by MITRE • 07/09/2026
n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2.28.1, n8n instances configured with more than one trusted token-exchange issuer resolved external identities to local accounts using only the JWT sub claim and ignored the iss claim, allowing an attacker with a valid token from one trusted issuer and a sub matching a victim under another issuer to authenticate as that victim. This issue is fixed in versions 2.27.4 and 2.28.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in n8n workflow automation platform represents a critical authentication bypass flaw that undermines the security of multi-issuer configurations. This issue affects versions prior to 2.27.4 and from 2.28.0 before 2.28.1, where the platform's identity resolution mechanism fails to properly validate the issuer claim during token processing. The flaw stems from the platform's reliance on only the JWT subject claim for account mapping while completely disregarding the issuer claim that should serve as a critical validation factor. This design oversight creates a dangerous scenario where attackers can exploit the system by obtaining valid authentication tokens from one trusted identity provider and leveraging them against users authenticated through different but trusted providers.
The technical implementation of this vulnerability demonstrates a failure in proper identity federation handling that aligns with CWE-287, which addresses improper authentication vulnerabilities. When n8n instances are configured with multiple trusted token-exchange issuers, the system should maintain strict separation between different identity domains to prevent cross-issuer impersonation attacks. However, the platform's flawed logic processes external identities by mapping them solely based on the JWT sub (subject) field without verifying that the token originates from the expected issuer. This omission creates a path for privilege escalation where an attacker can craft malicious tokens with valid signatures from one trusted issuer and matching subject identifiers from another trusted issuer.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables sophisticated impersonation attacks that can bypass security controls designed to isolate different user domains. An attacker who gains access to a valid token from one trusted identity provider can effectively assume the identity of any legitimate user within the system who was authenticated through a different but trusted issuer. This creates a significant risk for organizations using n8n with multiple authentication providers, as it eliminates the security boundary that should exist between different identity domains. The vulnerability essentially allows attackers to perform actions with elevated privileges by exploiting the lack of proper issuer validation in the token processing pipeline.
The mitigation strategy involves updating n8n instances to versions 2.27.4 or 2.28.1, which implement proper issuer claim validation during external identity resolution. This update ensures that the platform correctly validates both the subject and issuer claims when mapping external identities to local accounts, thereby preventing cross-issuer impersonation attacks. Organizations should also conduct thorough security reviews of their multi-issuer configurations to identify any potential exposure and consider implementing additional monitoring controls to detect suspicious authentication patterns. The fix addresses the underlying ATT&CK technique T1566 which involves credential harvesting through compromised tokens, by ensuring proper identity validation mechanisms are in place. Security teams should verify that all n8n deployments with multiple trusted issuers have been updated and validate that the token resolution process now properly enforces issuer boundaries to prevent unauthorized access attempts.