Skip to main content

n8n CVE-2026-59208

| EUVDEUVD-2026-42610 HIGH
Improper Authentication (CWE-287)
2026-07-09 GitHub_M
7.6
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-reachable but requires a valid trusted-issuer token (PR:L) plus a non-default multi-issuer config and a cross-issuer sub collision (AC:H); account takeover yields C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 09, 2026 - 17:01 EUVD
Analysis Generated
Jul 09, 2026 - 16:22 vuln.today
CVE Published
Jul 09, 2026 - 15:27 cve.org
HIGH 7.6

DescriptionCVE.org

n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2.28.1, n8n instances configured with more than one trusted token-exchange issuer resolved external identities to local accounts using only the JWT sub claim and ignored the iss claim, allowing an attacker with a valid token from one trusted issuer and a sub matching a victim under another issuer to authenticate as that victim. This issue is fixed in versions 2.27.4 and 2.28.1.

AnalysisAI

Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid token from trusted Issuer B
Delivery
Craft/select sub matching victim under Issuer A
Exploit
Submit token to multi-issuer n8n endpoint
Execution
n8n resolves identity by sub, ignores iss
Persist
Authenticate as victim account
Impact
Access victim workflows and stored credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires the n8n instance to be configured with more than one trusted token-exchange issuer - a single-issuer or non-federated deployment is not vulnerable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N, base 7.6 High) tells a consistent story: network-reachable, no user interaction, but requiring some privilege (PR:L - the attacker must already hold a valid token from one trusted issuer) and an attack requirement (AT:P - the target environment must run multiple trusted issuers and a sub collision must exist). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who legitimately controls (or can register) an account at trusted Issuer B sets or obtains a sub value identical to a high-privilege victim's sub under trusted Issuer A. They present a valid token-exchange token from Issuer B to the multi-issuer n8n instance; n8n matches on sub alone, ignores the iss, and logs the attacker into the victim's account with the victim's workflows and credentials. …
Remediation Vendor-released patch: upgrade to n8n 2.27.4 (for the 2.27.x and earlier branch) or 2.28.1 (for the 2.28.x branch), which fix identity resolution to scope lookups by both the iss and sub claims; see the advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-mq3m-f8x3-579w and release notes at https://github.com/n8n-io/n8n/releases/tag/n8n%402.27.4 and https://github.com/n8n-io/n8n/releases/tag/n8n%402.28.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit your n8n SSO configuration to identify if multiple identity issuers are trusted; if yes, escalate to incident response and immediately restrict to single issuer or implement compensating controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

CVE-2026-59208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy