Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires a valid trusted-issuer token (PR:L) plus a non-default multi-issuer config and a cross-issuer sub collision (AC:H); account takeover yields C:H/I:H, no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2.28.1, n8n instances configured with more than one trusted token-exchange issuer resolved external identities to local accounts using only the JWT sub claim and ignored the iss claim, allowing an attacker with a valid token from one trusted issuer and a sub matching a victim under another issuer to authenticate as that victim. This issue is fixed in versions 2.27.4 and 2.28.1.
AnalysisAI
Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the n8n instance to be configured with more than one trusted token-exchange issuer - a single-issuer or non-federated deployment is not vulnerable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N, base 7.6 High) tells a consistent story: network-reachable, no user interaction, but requiring some privilege (PR:L - the attacker must already hold a valid token from one trusted issuer) and an attack requirement (AT:P - the target environment must run multiple trusted issuers and a sub collision must exist). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who legitimately controls (or can register) an account at trusted Issuer B sets or obtains a sub value identical to a high-privilege victim's sub under trusted Issuer A. They present a valid token-exchange token from Issuer B to the multi-issuer n8n instance; n8n matches on sub alone, ignores the iss, and logs the attacker into the victim's account with the victim's workflows and credentials. … |
| Remediation | Vendor-released patch: upgrade to n8n 2.27.4 (for the 2.27.x and earlier branch) or 2.28.1 (for the 2.28.x branch), which fix identity resolution to scope lookups by both the iss and sub claims; see the advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-mq3m-f8x3-579w and release notes at https://github.com/n8n-io/n8n/releases/tag/n8n%402.27.4 and https://github.com/n8n-io/n8n/releases/tag/n8n%402.28.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit your n8n SSO configuration to identify if multiple identity issuers are trusted; if yes, escalate to incident response and immediately restrict to single issuer or implement compensating controls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP
The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox
The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is
The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is
n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow
This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42610