Find notable cyber news and cases, enriched with sources, timelines, and signals.

N8n Enterprise token exchange JWT issuer-binding flaw (CVE-2026-59208)

Vulnerability
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

n8n patched CVE-2026-59208, a JWT issuer-binding flaw in Enterprise token exchange that could log a user into the wrong account on multi-issuer deployments. The bug matched on sub alone and ignored iss, so a valid token from one trusted issuer could map to another user's local account. n8n shipped the fix on June 24, and the CVE became public on July 9.

Related Happenings

Cloud Software Group NetScaler urgent remediation advisory

Advisory/Mitigation
H score44 First: 25.03.2026 17:52 Last: 25.03.2026 17:52 Sources 1

About this happening: Cloud Software Group issued urgent remediation guidance for NetScaler ADC and NetScaler Gateway, telling affected customers to install updated versions as soon as poss...

N8n sandbox escape flaws (multiple vulnerabilities)

Vulnerability
H score41 First: 04.02.2026 15:00 Last: 04.02.2026 15:00 Sources 1

About this happening: Two maximum-severity sandbox-escape flaws in n8n expose self-hosted and cloud instances to complete server takeover and credential theft. An authenticated us...

Malicious npm packages masquerading as n8n integrations to steal OAuth credentials

Malware Activity
H score37 First: 12.01.2026 18:39 Last: 12.01.2026 18:39 Sources 1

About this happening: A set of eight npm packages impersonating n8n integrations is stealing developers' OAuth credentials, putting linked services and workflow access at risk. One package...

Timeline

  1. 16.07.2026 16:33 1 articles · 2h ago

    n8n ships a fix for the JWT issuer-binding flaw

    Mitigation Patch Update

    n8n shipped a fix for CVE-2026-59208 on June 24 after its Enterprise token-exchange login flow matched incoming JWTs on sub alone and ignored iss, which could let a token from one trusted issuer map to another local account.

    Show sources
  2. 09.07.2026 03:00 2 articles · 7d ago

    CVE-2026-59208 record goes public

    Initial Disclosure

    The CVE record for CVE-2026-59208 became public on July 9, and n8n credited the report to the GitHub account bearsyankees, whose profile lists Strix, the AI penetration testing agent that says it found the identity-binding bug in the token-exchange flow.

    Show sources