n8n Token Exchange Flaw Could Let Attackers Log In As Users From Another Issuer

n8n, a workflow automation platform, provided incorrect accounts for login. In Enterprise environments configured to trust more than one external token issuer, match the incoming JWT to the local user sub he wants to be alone and ignored iss.
A valid token from issuer A that holds a sub which belongs to another person under issuer B who imported it as him. Their password did not enter it. n8n posted a fix on June 24.
The error is followed by CVE-2026-59208. The CVE record was not made public until July 9. n8n posted a report on the GitHub account bearsyankees, whose profile lists Strix, which makes an AI penetration testing agent.
Strix says it revealed that it was an agent in the flow of the token exchange and found an identity-binding error there.
Two issuers, one account
Token switching is the n8n way of business for OEM partners who embed a product, using RFC 8693 to save their users a second login screen.
The partner signs the temporary JWT with its key, n8n authenticates with the configured public key, matches the local account’s claims, and the user is logged in. Trusted keys enter. N8N_TOKEN_EXCHANGE_TRUSTED_KEYSand the deployment documentation still marks the feature as a preview.
The token itself checks. Parallels is a bug. A sub the value is only guaranteed to be unique within the issuer you named. RFC 7519 calls for it to be “identified to be locally unique to the issuer’s context” or globally unique. So the user identifier is a pair, iss plus sub.
n8n put half of it. There is nothing stopping two issuers from issuing the same subject string, and if they do, they both reside in the same n8n account.
How great is this thing
The error only occurs if token exchange is enabled and the configuration relies on at least two external issuers. n8n says nothing else is involved. Token switching is Enterprise-only and still marked as a preview, so the exposed set is small and clear: OEM deployments, where trusting a secondary issuer is a supported configuration.
That advice does not focus on how the attacker obtains the token. Only they can find it. A practical question is whether a typical user in a trusted issuer can influence the sub they accept it. The public record does not respond. GitHub’s CVSS 4.0 vector marks the attack requirements as present and stops there.

GitHub assigns that vector. As the CNA here, puts it CVE-2026-59208 at 7.6 on CVSS 4.0, high. NVD puts the same error at 6.8 on CVSS 3.1, which is average, and hasn’t released a 4.0 test at all; its record holds CWE-287 again CWE-346. A July 13 CISA audit of SSVC records the exploit as non-existent, and Hacker News found no public evidence in a July 16 search.
Two weeks before the June 24 renovation, the caretakers fired CVE-2026-54305just another business mistake. Allows any authorized user to overwrite or revoke OAuth tokens stored by another user through Dynamic Credentials endpoints. That was a missing identity check, not an ID arrest. Different bug, same place.
Hacker News reached out to n8n to confirm the scope and impact of the CVE-2026-59208 and will update this story with any feedback.
Pack or trim the list of outliers
CVE-2026-59208 it affects all n8n releases below 2.27.4 and version 2.28.0. Fixes start in 2.27.4 and 2.28.1. Those are down. On July 16, n8n’s npm package ported 2.30.6 to both latest again stable tags. He posts a new baby every week on his account, so check the tag and pick up a new stable to build your posting bases.
If the patch has to wait, find out what you’re using: N8N_TOKEN_EXCHANGE_TRUSTED_KEYS holds trusted signing keys, and a separate preview flag controls whether token exchange is enabled. Limit back to one trusted remover, or turn off the feature.
The advisory calls both measures temporary and says they do not fully address the risk. That’s boilerplate, it’s the same for at least three other n8n advisories, including the one on June 10. For the n8n scope statement, the event where the token exchange is closed is not affected.
There is no release note that mentions the fix. Hacker News tested both: among them, the 2.27.4 and 2.28.1 changelogs cover Python import fixes, Google Ads node improvements, AI workflow testing, and node build changes, and nothing about ownership.
Counseling is where this one lives. If your upgrade decisions apply to changelogs, this is a transient type of fix.



