Introduction
A critical authentication vulnerability has been identified in n8n Enterprise instances that could allow attackers to bypass identity verification and gain unauthorized access to user accounts. The flaw stems from improper JSON Web Token (JWT) validation in environments configured with multiple external token issuers. Specifically, n8n's token exchange mechanism validates incoming tokens based solely on the sub (subject) claim while completely ignoring the iss (issuer) claim. This means a valid token from Issuer A containing a sub value that matches a user account belonging to Issuer B will successfully authenticate as that user—effectively granting cross-issuer account takeover capabilities without requiring the victim's password or second-factor credentials.
For organizations running n8n Enterprise with federated identity providers, this represents a severe identity protection failure. The vulnerability undermines the fundamental security boundary between trusted identity providers and could allow a compromised account in one identity sphere to pivot to accounts in another. Defenders need to act immediately to assess exposure, implement detection controls, and apply vendor patches.
Technical Analysis
Affected Products and Configurations
- Product: n8n Enterprise Edition
- Affected Configuration: Instances configured with multiple external OAuth/OIDC token issuers
- Platform: Containerized deployments and bare-metal installations (Node.js runtime)
- Impact Component: JWT token validation logic in authentication module
Vulnerability Mechanics
The vulnerability exists in n8n's token exchange endpoint responsible for processing incoming JWTs from external identity providers. The flaw manifests in the following sequence:
- Token Reception: n8n receives a JWT from an external identity provider during SSO login
- Flawed Validation: The validation logic extracts the
subclaim and queries the local user database for a matching subject identifier - Issuer Blindness: The validation routine fails to verify that the token's
issclaim matches the expected issuer for that user account - Successful Authentication: If a matching
subis found regardless of issuer, the user is granted an authenticated session
This creates a cross-issuer authentication bypass where:
- An attacker with a valid token from Identity Provider A (Issuer A)
- Can identify or guess the
subclaim of a target user from Identity Provider B (Issuer B) - Present their token from Issuer A containing the target's
subvalue - Successfully authenticate as the target user from Issuer B
Exploitation Requirements
- n8n Enterprise instance configured with at least two external token issuers
- Attacker possesses a valid JWT token from at least one trusted issuer
- Attacker knows or can enumerate the
subclaim value of a target user from another issuer - No credential theft or MFA bypass required
Exploitation Status
At the time of disclosure, this vulnerability has been identified through security research. While there is no confirmed evidence of active in-the-wild exploitation, the technical simplicity of the attack suggests that motivated adversaries with access to valid tokens could quickly weaponize this flaw. Organizations should assume potential exposure and treat this as an active threat.
Detection & Response
SIGMA Rules
---
title: n8n Potential Cross-Issuer Authentication Bypass
id: 8f4d2a91-c7e3-4f5b-9a6d-1e2c3b4a5d6f
status: experimental
description: Detects potential cross-issuer authentication bypass in n8n by identifying successful logins where the token issuer does not match the user's expected identity provider
references:
- https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1078
- attack.credential_access
logsource:
category: web
product: n8n
detection:
selection:
c-uri|contains: '/rest/oauth2-credential/callback'
sc-status: 200
filter_legitimate:
cs-headers|contains: 'X-n8n-expected-issuer'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate authentication during identity provider migration
- Testing of new identity provider configurations
level: high
---
title: n8n Multiple Issuer Token Usage Pattern
id: 3b7f1e84-d5c9-4e2a-8b3f-2a4d5e6f7a8b
status: experimental
description: Detects suspicious authentication patterns where the same user account (sub) successfully authenticates from multiple different token issuers within a short timeframe
references:
- https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1078.004
logsource:
category: web
product: n8n
detection:
selection:
c-uri|contains: '/rest/oauth2-credential/callback'
sc-status: 200
timeframe: 1h
condition: selection | count() by cs-uri-query, cs-user-agent > 1
falsepositives:
- Users legitimately switching between identity providers
- Identity provider failover testing
level: medium
---
title: n8n Anomalous JWT Subject Claim Access
id: 7a2c3d94-e8f1-4b6c-9d4e-3b5a6c7d8e9f
status: experimental
description: Detects potential exploitation attempts by identifying access patterns where JWT tokens claim subjects that do not correspond to the requesting issuer context
references:
- https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1552
logsource:
category: web
product: n8n
detection:
selection:
c-uri|contains: '/rest/oauth2-credential/callback'
cs-uri-query|contains: 'iss'
filter:
cs-uri-query|contains: 'sub'
condition: selection and filter
falsepositives:
- Standard OAuth flows with complete token parameters
level: low
KQL (Microsoft Sentinel / Defender)
// Hunt for potential n8n cross-issuer authentication bypass
// Query analyzes web authentication logs for suspicious patterns
let TimeWindow = 1h;
let n8nAuthLogs = Syslog
| where ProcessName contains "n8n"
| where SyslogMessage contains "/rest/oauth2-credential/callback"
| extend StatusCode = extract("\"status\":\s*(\d+)", 1, SyslogMessage)
| where StatusCode == "200"
| extend Issuer = extract("\"iss\":\s*\"([^\"]+)\"", 1, SyslogMessage)
| extend Subject = extract("\"sub\":\s*\"([^\"]+)\"", 1, SyslogMessage)
| extend UserAgent = extract("\"user-agent\":\s*\"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, HostName, Issuer, Subject, UserAgent, SyslogMessage;
// Detect same subject authenticating from multiple issuers
n8nAuthLogs
| summarize Count=dcount(Issuer), Issuers=make_set(Issuer) by Subject, bin(TimeGenerated, TimeWindow)
| where Count > 1
| project Subject, Count, Issuers, TimeGenerated
| order by Count desc;
// Detect authentication attempts with missing or mismatched issuer validation
n8nAuthLogs
| where isnull(Issuer) or Issuer == ""
| project TimeGenerated, HostName, Subject, UserAgent, SyslogMessage;
Velociraptor VQL
-- Hunt for n8n authentication anomalies and version identification
-- Check running n8n processes and extract version information
SELECT Pid, Name, CommandLine, Exe, Username, Ctime, StartTime
FROM pslist()
WHERE Name =~ 'node' AND CommandLine =~ 'n8n'
-- Search for n8n configuration files that may expose issuer settings
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/*/n8n/config/*.', root='/')
-- Check n8n application logs for authentication events
SELECT FullPath, Size, Mtime
FROM glob(globs='/var/log/n8n/*.log', root='/')
LIMIT 50
-- Identify active network connections to n8n services
SELECT Fqdn, RemoteAddr, RemotePort, State, Pid, Family, Type
FROM netstat()
WHERE Fqdn =~ 'n8n' OR ProcessName =~ 'n8n'
Remediation Script (Bash)
#!/bin/bash
# n8n JWT Authentication Flaw - Verification and Hardening Script
# This script checks for vulnerable configurations and applies mitigations
set -euo pipefail
echo "[*] Starting n8n JWT Authentication Hardening Check..."
echo "[*] Date: $(date)"
# Check if n8n is running
N8N_PROCESS=$(pgrep -f "n8n" || true)
if [ -z "$N8N_PROCESS" ]; then
echo "[!] n8n process not detected. Ensure n8n is running before running this check."
exit 1
fi
echo "[+] n8n process detected: PID $N8N_PROCESS"
# Check n8n version (for vendor reference)
echo "[*] Checking n8n version..."
N8N_VERSION=$(n8n version 2>/dev/null || echo "Unable to determine version")
echo "[*] Current n8n version: $N8N_VERSION"
# Locate n8n configuration directory
echo "[*] Locating n8n configuration..."
N8N_CONFIG_DIRS=("/home/node/.n8n" "/root/.n8n" "/etc/n8n" "/opt/n8n")
N8N_CONFIG_DIR=""
for dir in "${N8N_CONFIG_DIRS[@]}"; do
if [ -d "$dir" ]; then
N8N_CONFIG_DIR="$dir"
break
fi
done
if [ -z "$N8N_CONFIG_DIR" ]; then
echo "[!] n8n configuration directory not found in standard locations."
exit 1
fi
echo "[+] Configuration directory found: $N8N_CONFIG_DIR"
# Check for multiple OAuth/OIDC issuer configurations
echo "[*] Checking for multiple identity provider configurations..."
OAUTH_CONFIG_FILE="$N8N_CONFIG_DIR/config"
if [ -f "$OAUTH_CONFIG_FILE" ]; then
ISSUER_COUNT=$(grep -c "N8N_OAUTH2_.*_CLIENT_ID" "$OAUTH_CONFIG_FILE" 2>/dev/null || echo "0")
echo "[*] Number of configured OAuth clients: $ISSUER_COUNT"
if [ "$ISSUER_COUNT" -gt 1 ]; then
echo "[!] WARNING: Multiple OAuth issuers detected - this instance may be vulnerable to cross-issuer authentication bypass."
echo "[!] Immediate patching is required."
else
echo "[+] Single OAuth issuer configured - reduced exposure profile."
fi
else
echo "[!] Configuration file not found: $OAUTH_CONFIG_FILE"
fi
# Check for JWT environment variables
echo "[*] Checking JWT configuration..."
JWT_ISSUER=$(grep -E "^N8N_JWT_ISSUER|^N8N_JWT_AUTH_HEADER" "$N8N_CONFIG_DIR/.env" 2>/dev/null || echo "Not configured")
echo "[*] JWT configuration: $JWT_ISSUER"
# Output remediation recommendations
echo ""
echo "==============================================="
echo "REMEDIATION RECOMMENDATIONS"
echo "==============================================="
echo ""
echo "1. IMMEDIATE ACTION: Update n8n to the latest patched version"
echo " - Check official n8n security advisory for specific patch versions"
echo " - Vendor advisory: https://docs.n8n.io/security/"
echo ""
echo "2. Configuration hardening until patch is applied:"
echo " - Temporarily disable secondary OAuth issuers if possible"
echo " - Implement WAF rules to block suspicious token exchange patterns"
echo " - Monitor authentication logs for cross-issuer login attempts"
echo ""
echo "3. Post-patch verification:"
echo " - Validate that JWT token verification includes 'iss' claim"
echo " - Test authentication flow with tokens from different issuers"
echo " - Confirm that token subject (sub) is validated against issuer (iss)"
echo ""
echo "[*] Script completed."
Remediation
Immediate Actions
-
Apply Vendor Patches: Update n8n Enterprise to the latest patched version immediately. Refer to the official n8n security advisory for specific version numbers that address this vulnerability. The patch ensures that JWT validation enforces both
subandissclaim matching, preventing cross-issuer authentication bypass. -
Temporary Mitigation (If Patching Delayed): If immediate patching is not feasible, temporarily reduce your identity provider configuration to a single trusted issuer. This eliminates the cross-issuer attack vector, though it may impact operational flexibility for organizations requiring multi-provider support.
-
Configuration Review: Audit all configured OAuth/OIDC providers in your n8n Enterprise instance. Document all issuers, their scopes, and the user populations they serve. This visibility is critical for validating that the fix correctly enforces issuer boundaries.
Verification Steps
After applying the patch, perform the following validation:
-
Test Cross-Issuer Isolation: Attempt to authenticate with a valid token from Issuer A containing a
subclaim that exists for Issuer B. The authentication must fail. Successful login indicates the patch was not applied correctly. -
Review Authentication Logs: Examine n8n access logs for recent authentication events. Confirm that all successful logins show appropriate issuer validation and no anomalous cross-issuer patterns exist.
-
JWT Inspection: If possible, inspect JWT tokens being processed by your n8n instance. Verify that both
subandissclaims are present and that validation logic references both claims during user lookup.
Vendor Resources
- Official n8n Security Advisory: Monitor the n8n documentation portal for the security bulletin addressing this vulnerability
- Patch Availability: Patches are available through standard n8n update channels (npm, Docker Hub, package repositories)
- Support Contact: For Enterprise customers, contact n8n support for guidance on patch deployment and validation
Long-Term Hardening
Beyond the immediate patch, implement these identity security controls:
- JWT Claim Enforcement: Implement application-layer monitoring to ensure all JWT-based authentication includes mandatory
issclaim validation - Identity Provider Segmentation: Consider separating n8n instances by identity provider if multi-issuer support is a hard requirement
- Security Monitoring: Deploy continuous monitoring for authentication anomalies, including impossible travel patterns, cross-issuer login attempts, and unexpected token issuance
- Regular Configuration Audits: Schedule quarterly reviews of OAuth/OIDC configurations to detect drift or unauthorized additions of new identity providers
This vulnerability represents a fundamental failure in identity boundary enforcement. Treat this as a critical security event and prioritize remediation accordingly. Proper JWT validation is non-negotiable in enterprise identity federations—ensure your n8n implementation enforces these controls rigorously.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.