The Hacker News ·EN News source Patch releasedn8n Enterprise
n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer
CVE Tools coverage
n8n, the workflow automation platform, addressed a critical vulnerability in its Enterprise edition that allowed attackers to impersonate users from different token issuers. The flaw, tracked as CVE-2026-59208, stemmed from improper validation of the iss (issuer) field in JSON Web Tokens (JWTs), allowing a valid token from one issuer to log in as a user from another. This issue only affects n8n Enterprise instances configured to trust multiple external issuers. The fix was deployed on June 24, with updated versions 2.27.4 and 2.28.1. Affected organizations are advised to upgrade immediately or disable the token exchange feature if patching is delayed.