n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

A token exchange flaw in n8n (CVE-2026-59208) allowed attackers to log in as other users by incorrectly matching JWT claims based solely on the user ID while ignoring the token issuer. Users of the workflow automation platform are encouraged to patch to version 2.27.4 or later, or disable the vulnerable Enterprise feature to mitigate the risk of unauthorized access.

Edward Kiledjian @ekiledjian