Critical n8n Flaw Allowed Cross-Issuer Account Takeovers
A critical vulnerability, tracked as **CVE-2026-59208**, has been discovered in the workflow automation platform **n8n**. The flaw allowed unauthorized account takeovers on Enterprise instances configured with multiple external token issuers, by incorrectly validating JSON Web Tokens (JWTs). This issue has been patched, and users are urged to update their installations immediately.
The workflow automation platform **n8n** recently patched a significant security flaw, **CVE-2026-59208**, that could lead to unauthorized account takeovers. The vulnerability specifically affected **n8n** Enterprise instances utilizing its token exchange feature with more than one external token issuer.
The core of the problem lay in how **n8n** processed incoming JWTs. Instead of validating both the `sub` (subject) and `iss` (issuer) claims, the platform incorrectly matched users based solely on the `sub` claim. This oversight meant that a valid token from one trusted issuer, carrying a `sub` claim identical to a user under a different trusted issuer, would grant access to the latter's account without requiring their password.

### The Mechanics of the Flaw
**n8n**'s token exchange is an Enterprise-only feature, often used by OEM partners to embed the product and streamline user authentication, avoiding a second login screen. It implements **RFC 8693**, where a partner signs a short-lived JWT, which **n8n** then verifies against a configured public key and matches claims to a local account.
The vulnerability stemmed from **n8n**'s failure to adhere strictly to **RFC 7519**, which stipulates that a `sub` value is only guaranteed to be unique within the context of its issuer. Therefore, a user's true identifier is the combination of `iss` and `sub`. By only keying on `sub`, **n8n** opened the door for collision if two different issuers happened to assign the same subject string, leading to an account binding error.
### Scope and Impact
This flaw impacts **n8n** instances only if the token exchange feature is enabled and configured to trust at least two external issuers. Given that token exchange is an Enterprise-only and still-preview feature, the exposed attack surface is relatively contained, primarily affecting OEM deployments.
While the advisory confirms the vulnerability, it does not detail how an attacker might obtain the necessary token or influence the `sub` claim they receive. **GitHub**, acting as the CNA for **CVE-2026-59208**, assigned a CVSS 4.0 score of 7.6 (High), while **NVD** rated it 6.8 (Medium) on CVSS 3.1, noting **CWE-287** (Improper Authentication) and **CWE-346** (Origin Validation Error).
This incident follows another recent Enterprise-only flaw, **CVE-2026-54305**, patched two weeks prior. That vulnerability allowed any authenticated user to overwrite or revoke other users' stored **OAuth** tokens due to a missing ownership check, highlighting a pattern of identity-related issues in **n8n**'s Enterprise features.

### Remediation and Recommendations
**CVE-2026-59208** affects all **n8n** releases below 2.27.4 and version 2.28.0. The fix was initially released in versions 2.27.4 and 2.28.1. Users are strongly advised to upgrade to the latest stable build supported by their deployment, currently 2.30.6 as of July 16.
For those unable to patch immediately, temporary mitigation strategies include:
* Reducing the `N8N_TOKEN_EXCHANGE_TRUSTED_KEYS` environment variable to a single trusted issuer.
* Disabling the token exchange feature entirely.
While **n8n**'s advisory labels these as short-term measures, turning off the token exchange feature should, by the advisory's own scope statement, eliminate the risk. It's crucial for administrators to note that these fixes were not explicitly mentioned in the respective release notes (2.27.4 and 2.28.1 changelogs), underscoring the importance of consulting security advisories directly rather than relying solely on release notes for critical security updates.