N8n security patch release for CVE-2026-59208
Security Patch Release
Summary
Hide ▲
Show ▼
n8n shipped fixes for CVE-2026-59208 on June 24, closing an Enterprise token-exchange flaw that could log a user into the wrong account when multiple external issuers were trusted. The bug affected releases below 2.27.4 and 2.28.0, and n8n later identified 2.27.4 and 2.28.1 as the fixed builds. The issue was limited to Enterprise-only token exchange deployments configured with more than one trusted issuer.
Related Happenings
RabbitMQ maintainers security patch release for CVE-2026-57219
Security Patch Release
H score29
First: 14.07.2026 16:48
Last: 14.07.2026 16:48
Sources 1
About this happening:
RabbitMQ maintainers released fixed versions for multiple supported release lines, closing two access-control flaws that could expose OAuth client secrets and cross-te...
RabbitMQ maintainers security patch release for CVE-2026-57219
Security Patch ReleaseAbout this happening: RabbitMQ maintainers released fixed versions for multiple supported release lines, closing two access-control flaws that could expose OAuth client secrets and cross-te...
Gitea Docker images security update (CVE-2026-20896)
Security Patch Release
H score51
First: 06.07.2026 19:28
Last: 06.07.2026 19:28
Sources 1
About this happening:
Gitea released version 1.26.3 to fix CVE-2026-20896, closing a critical authentication-bypass risk in Gitea Docker images. The update removed the default "*" wildc...
Gitea Docker images security update (CVE-2026-20896)
Security Patch ReleaseAbout this happening: Gitea released version 1.26.3 to fix CVE-2026-20896, closing a critical authentication-bypass risk in Gitea Docker images. The update removed the default "*" wildc...
Dify security patch release for CVE-2026-41947
Security Patch Release
H score34
First: 22.06.2026 19:13
Last: 22.06.2026 19:13
Sources 1
About this happening:
Dify shipped version 1.14.2 to fix most of the DifyTap vulnerabilities, closing cross-tenant paths that could expose AI chats, uploaded files, and internal API...
Dify security patch release for CVE-2026-41947
Security Patch ReleaseAbout this happening: Dify shipped version 1.14.2 to fix most of the DifyTap vulnerabilities, closing cross-tenant paths that could expose AI chats, uploaded files, and internal API...
SimpleHelp security update for CVE-2026-48558
Security Patch Release
H score65
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
SimpleHelp released 5.5.16 and 6.0 RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw in SimpleHelp remote management software th...
SimpleHelp security update for CVE-2026-48558
Security Patch ReleaseAbout this happening: SimpleHelp released 5.5.16 and 6.0 RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw in SimpleHelp remote management software th...
Cisco Secure Workload REST API patch release (CVE-2026-20223)
Security Patch Release
H score55
First: 22.05.2026 08:36
Last: 22.05.2026 08:36
Sources 1
About this happening:
Cisco patched CVE-2026-20223, a CVSS 10.0 Secure Workload REST API flaw that could expose sensitive data and allow configuration changes across tenant boundaries. The upda...
Cisco Secure Workload REST API patch release (CVE-2026-20223)
Security Patch ReleaseAbout this happening: Cisco patched CVE-2026-20223, a CVSS 10.0 Secure Workload REST API flaw that could expose sensitive data and allow configuration changes across tenant boundaries. The upda...
Timeline
-
16.07.2026 16:33 2 articles · 2h ago
n8n fixes Enterprise token-exchange issuer-binding flaw
Mitigation Patch Updaten8n shipped the fix on June 24 for CVE-2026-59208, an Enterprise token-exchange bug where JWT login matched users on sub alone and ignored iss. The flaw could let a valid token from one trusted issuer log in as a user from another issuer on deployments that trusted more than one external token issuer.
Show sources
- n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer — thehackernews.com — 16.07.2026 16:33
- n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer — thehackernews.com — 16.07.2026 16:33
-
09.07.2026 03:00 1 articles · 7d ago
CVE-2026-59208 public record identifies n8n token-exchange flaw
Initial DisclosureThe CVE record for CVE-2026-59208 went public on July 9, putting the n8n Enterprise token-exchange identity-binding flaw into the public record. n8n attributed the report to bearsyankees and Strix, which said it found the bug in the token-exchange flow.
Show sources
- n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer — thehackernews.com — 16.07.2026 16:33