๐Ÿ” CVE Alert

CVE-2026-59208

UNKNOWN 0.0

n8n: Cross-Issuer Token Exchange Account Binding via Subject-Only Identity Resolution

CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
4th

n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2.28.1, n8n instances configured with more than one trusted token-exchange issuer resolved external identities to local accounts using only the JWT sub claim and ignored the iss claim, allowing an attacker with a valid token from one trusted issuer and a sub matching a victim under another issuer to authenticate as that victim. This issue is fixed in versions 2.27.4 and 2.28.1.

CWE CWE-287 CWE-346
Vendor n8n-io
Product n8n
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for n8n-io n8n

Be the first to know when new unknown vulnerabilities affecting n8n-io n8n are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

n8n-io / n8n
>= 2.28.0, < 2.28.1 < 2.27.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/n8n-io/n8n/security/advisories/GHSA-mq3m-f8x3-579w github.com: https://github.com/n8n-io/n8n/releases/tag/n8n%402.27.4 github.com: https://github.com/n8n-io/n8n/releases/tag/n8n%402.28.1