n8n Fixed A Bug Letting One Login Provider Impersonate Another's User
CVE-2026-59208, rated High severity (CVSS 7.6), let n8n match users only by the JWT's subject value, never its issuer.
- Flaw hit any n8n instance with token exchange enabled and multiple trusted issuers configured.
- Fixed in versions 2.28.1 and 2.27.4, released after disclosure on June 24, 2026.
- Researcher bearsyankees reported the bug; only mitigation before patching was a single-issuer setup.
Why it matters: A login system that checks the claim but not its source cannot tell an ally from an impostor.
n8n Security Advisory GHSA-mq3m-f8x3-579w (GitHub) ↗ · Jul 15, 20267/15/26 · ✓ Checked✓ Check