Find notable cyber news and cases, enriched with sources, timelines, and signals.

N8n security patch release for CVE-2026-59208

Security Patch Release
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

n8n shipped fixes for CVE-2026-59208 on June 24, closing an Enterprise token-exchange flaw that could log a user into the wrong account when multiple external issuers were trusted. The bug affected releases below 2.27.4 and 2.28.0, and n8n later identified 2.27.4 and 2.28.1 as the fixed builds. The issue was limited to Enterprise-only token exchange deployments configured with more than one trusted issuer.

Related Happenings

RabbitMQ maintainers security patch release for CVE-2026-57219

Security Patch Release
H score29 First: 14.07.2026 16:48 Last: 14.07.2026 16:48 Sources 1

About this happening: RabbitMQ maintainers released fixed versions for multiple supported release lines, closing two access-control flaws that could expose OAuth client secrets and cross-te...

Gitea Docker images security update (CVE-2026-20896)

Security Patch Release
H score51 First: 06.07.2026 19:28 Last: 06.07.2026 19:28 Sources 1

About this happening: Gitea released version 1.26.3 to fix CVE-2026-20896, closing a critical authentication-bypass risk in Gitea Docker images. The update removed the default "*" wildc...

Dify security patch release for CVE-2026-41947

Security Patch Release
H score34 First: 22.06.2026 19:13 Last: 22.06.2026 19:13 Sources 1

About this happening: Dify shipped version 1.14.2 to fix most of the DifyTap vulnerabilities, closing cross-tenant paths that could expose AI chats, uploaded files, and internal API...

SimpleHelp security update for CVE-2026-48558

Security Patch Release
H score65 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: SimpleHelp released 5.5.16 and 6.0 RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw in SimpleHelp remote management software th...

Cisco Secure Workload REST API patch release (CVE-2026-20223)

Security Patch Release
H score55 First: 22.05.2026 08:36 Last: 22.05.2026 08:36 Sources 1

About this happening: Cisco patched CVE-2026-20223, a CVSS 10.0 Secure Workload REST API flaw that could expose sensitive data and allow configuration changes across tenant boundaries. The upda...

Timeline

  1. 16.07.2026 16:33 2 articles · 2h ago

    n8n fixes Enterprise token-exchange issuer-binding flaw

    Mitigation Patch Update

    n8n shipped the fix on June 24 for CVE-2026-59208, an Enterprise token-exchange bug where JWT login matched users on sub alone and ignored iss. The flaw could let a valid token from one trusted issuer log in as a user from another issuer on deployments that trusted more than one external token issuer.

    Show sources
  2. 09.07.2026 03:00 1 articles · 7d ago

    CVE-2026-59208 public record identifies n8n token-exchange flaw

    Initial Disclosure

    The CVE record for CVE-2026-59208 went public on July 9, putting the n8n Enterprise token-exchange identity-binding flaw into the public record. n8n attributed the report to bearsyankees and Strix, which said it found the bug in the token-exchange flow.

    Show sources