Close Menu
    What's Hot

    Swatch’s New Gold MoonSwatch Solves the Problem of the Nightmare Royal Pop Launch

    Athens blocks new EU sanctions on Russia to shield Greek shipping company

    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

    Facebook X (Twitter) Instagram
    Trending
    • Swatch’s New Gold MoonSwatch Solves the Problem of the Nightmare Royal Pop Launch
    • Athens blocks new EU sanctions on Russia to shield Greek shipping company
    • n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer
    • When U.S. disasters strike, Trump is denying more FEMA aid to Democrats than Republicans
    • Development Economics for an Age of Upheaval by Carlos Lopes
    • Opinion | Trump’s Election Denial Has Never Been More Dangerous
    • Geopolitical Fragmentation Is North Korea’s Greatest Asset
    • How Nike’s Diversity Efforts Made It a Trump Target
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

    adminBy adminJuly 16, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Swati KhandelwalJul 16, 2026Vulnerability / Web Security

    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

    n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss.

    A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never came into it. n8n shipped the fix on June 24.

    The flaw is tracked as CVE-2026-59208. The CVE record did not go public until July 9. n8n credits the report to the GitHub account bearsyankees, whose profile lists Strix, which makes an AI penetration testing agent.

    Strix says it pointed out that the agent at the token-exchange flow and found the identity-binding bug there.

    Two issuers, one account

    Token exchange is n8n’s Enterprise route for OEM partners who embed the product, an RFC 8693 implementation that spares their users a second login screen.

    The partner signs a short-lived JWT with its own key, n8n verifies it against a configured public key, matches the claims to a local account, and the user is in. Trusted keys go in N8N_TOKEN_EXCHANGE_TRUSTED_KEYS, and the deployment docs still tag the feature as preview.

    Cybersecurity

    The token itself checks out. The matching is the bug. A sub value is only guaranteed to be unique inside the issuer that minted it. RFC 7519 asks that it be “scoped to be locally unique in the context of the issuer” or else globally unique. The identifier for a user is therefore the pair, iss plus sub.

    n8n keyed on half of it. Nothing stops two issuers from emitting the same subject string, and when they do, both land on one n8n account.

    How big a deal is this

    The flaw reaches an instance only if token exchange is switched on and the config trusts at least two external issuers. n8n says nothing else is affected. Token exchange is Enterprise-only and still flagged as a preview, so the exposed set is small and specific: OEM deployments, where trusting a second issuer is a supported configuration.

    What the advisory does not pin down is how an attacker gets the token. It says only that they can obtain one. The practical question is whether an ordinary user at a trusted issuer can influence the sub they receive. The public record does not answer it. GitHub’s CVSS 4.0 vector marks attack requirements as present and stops there.

    GitHub assigned that vector. As the CNA here, it puts CVE-2026-59208 at 7.6 on CVSS 4.0, high. NVD puts the same bug at 6.8 on CVSS 3.1, medium, and has not issued a 4.0 assessment at all; its record carries CWE-287 and CWE-346. CISA’s July 13 SSVC assessment records exploitation as none, and The Hacker News found no public proof-of-concept in searches on July 16.

    Two weeks before the June 24 fix, the maintainers patched CVE-2026-54305, another Enterprise-only flaw. It lets any authenticated user overwrite or revoke another user’s stored OAuth tokens through the Dynamic Credentials endpoints. That one was a missing ownership check, not an identity binding. Different bug, same surface.

    Cybersecurity

    The Hacker News has reached out to n8n for confirmation on the scope and impact of CVE-2026-59208 and will update this story with any response.

    Patch or cut the issuer list

    CVE-2026-59208 affects every n8n release below 2.27.4 and version 2.28.0. The fix first landed in 2.27.4 and 2.28.1. Those are the floor. On July 16, n8n’s npm package carried 2.30.6 on both its latest and stable tags. It ships a new minor most weeks by its own account, so check the tag and take the newest stable build your deployment supports.

    If patching has to wait, work out what you are running: N8N_TOKEN_EXCHANGE_TRUSTED_KEYS holds the trusted signing keys, and a separate preview flag controls whether token exchange is on at all. Cut back to a single trusted issuer, or turn the feature off.

    The advisory calls both short-term measures and says neither fully remediates the risk. That is boilerplate, identical in at least three other n8n advisories, including the June 10 one. By n8n’s own scope statement, an instance with token exchange off is not affected.

    Neither release note mentions the fix. The Hacker News checked both: between them, the 2.27.4 and 2.28.1 changelogs cover a Python import fix, a Google Ads node upgrade, an AI workflow check, and a node-building change, and nothing about identity.

    The advisory is where this one lives. If your upgrade decisions run on changelogs, this is the kind of fix that slips past.

    Attackers Exchange flaw Issuer Log n8n token users
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleWhen U.S. disasters strike, Trump is denying more FEMA aid to Democrats than Republicans
    Next Article Athens blocks new EU sanctions on Russia to shield Greek shipping company
    admin
    • Website

    Related Posts

    New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

    July 16, 2026

    AI Can Find Bugs, But Human Knowledge Still Proves Them

    July 16, 2026

    OpenAI’s GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Swatch’s New Gold MoonSwatch Solves the Problem of the Nightmare Royal Pop Launch

    Athens blocks new EU sanctions on Russia to shield Greek shipping company

    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

    When U.S. disasters strike, Trump is denying more FEMA aid to Democrats than Republicans

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by