CVE Tools
Back to feed
The Hacker News ·EN News source Patch releasedn8n Enterprise

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

By The Hacker News··4 min read
CVE Tools coverage

n8n, the workflow automation platform, addressed a critical vulnerability in its Enterprise edition that allowed attackers to impersonate users from different token issuers. The flaw, tracked as CVE-2026-59208, stemmed from improper validation of the iss (issuer) field in JSON Web Tokens (JWTs), allowing a valid token from one issuer to log in as a user from another. This issue only affects n8n Enterprise instances configured to trust multiple external issuers. The fix was deployed on June 24, with updated versions 2.27.4 and 2.28.1. Affected organizations are advised to upgrade immediately or disable the token exchange feature if patching is delayed.