PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59208 n8n-io CVE debrief

The CVE-2026-59208 vulnerability is a high-severity issue affecting n8n, an open-source workflow automation platform. Prior to versions 2.27.4 and 2.28.1, n8n instances configured with multiple trusted token-exchange issuers were vulnerable to authentication bypass. An attacker with a valid token from one trusted issuer could authenticate as a victim under another issuer if the JWT sub claim matched. This issue is fixed in versions 2.27.4 and 2.28.1. The vulnerability is classified as CWE-287 (Improper Authentication) and CWE-346 (Sensitive Information Exposure). Affected users should prioritize patching to prevent potential authentication bypass attacks.

Vendor
n8n-io
Product
n8n
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-14
Advisory published
2026-07-09
Advisory updated
2026-07-14

Who should care

Users of n8n workflow automation platform, especially those with multiple trusted token-exchange issuers configured, should be aware of this vulnerability. Security teams and administrators responsible for n8n instances should prioritize patching to versions 2.27.4 or 2.28.1 to prevent potential authentication bypass attacks.

Technical summary

The vulnerability in n8n allows an attacker to bypass authentication by exploiting the token-exchange issuer configuration. Specifically, n8n instances with more than one trusted token-exchange issuer were resolving external identities to local accounts using only the JWT sub claim and ignoring the iss claim. This means an attacker with a valid token from one trusted issuer could authenticate as a victim under another issuer if the sub claim matched. The issue is classified as CWE-287 (Improper Authentication) and CWE-346 (Sensitive Information Exposure).

Defensive priority

High

Recommended defensive actions

  • Patch n8n instances to version 2.27.4 or 2.28.1
  • Review and update token-exchange issuer configurations
  • Monitor for suspicious authentication attempts
  • Implement additional authentication security measures
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-09T16:16:46.610Z and was last modified on 2026-07-14T01:16:18.827Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus and has not been independently verified. Defenders should verify the accuracy of this information with official sources.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T16:16:46.610Z and has not been modified since then. The NVD entry is currently Analyzed.