Sourced News

Atom Brief

Wed, Jul 15, 2026 · 64 stories · Confirmed · Subscribe
SECURITY

n8n Fixed A Bug Letting One Login Provider Impersonate Another's User

CVE-2026-59208, rated High severity (CVSS 7.6), let n8n match users only by the JWT's subject value, never its issuer.

  • Flaw hit any n8n instance with token exchange enabled and multiple trusted issuers configured.
  • Fixed in versions 2.28.1 and 2.27.4, released after disclosure on June 24, 2026.
  • Researcher bearsyankees reported the bug; only mitigation before patching was a single-issuer setup.

Why it matters: A login system that checks the claim but not its source cannot tell an ally from an impostor.

n8n Security Advisory GHSA-mq3m-f8x3-579w (GitHub) ↗ · Jul 15, 20267/15/26 · ✓ Checked✓ Check

Join the community.

Every story checked against the primary document.