User Impersonation Affecting n8n package, versions <2.27.4>=2.28.0 <2.28.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.14% (4th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-N8N-17954285
  • published12 Jul 2026
  • disclosed9 Jul 2026
  • creditbearsyankees

Introduced: 9 Jul 2026

NewCVE-2026-59208  (opens in a new tab)
CWE-290  (opens in a new tab)

How to fix?

Upgrade n8n to version 2.27.4, 2.28.1 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to User Impersonation via the token-exchange identity-resolution service in packages/cli/src/modules/token-exchange/services/identity-resolution.service.ts. An attacker can authenticate as another user by presenting a valid token from one trusted issuer whose JWT sub matches a victim account created under a different trusted issuer. The token-exchange flow resolves local identities using the subject claim alone instead of pairing it with the issuer, so instances that trust more than one external issuer can map two different upstream accounts to the same local account. This lets the attacker access the victim’s n8n account and its data and actions with the victim’s permissions.

Notes

  • The issue only applies when token exchange is enabled, and an instance trusts more than one external issuer; a single trusted issuer does not create the cross-issuer account-collision condition described in the advisory.
  • The collision is between identities stored under the token-exchange provider mapping, so the vulnerable path is the external-identity binding used during exchange rather than general n8n login or local user authentication.

Workarounds

  • If multiple trusted issuers are not required, reduce the token exchange configuration to a single trusted issuer to prevent cross-issuer subject collisions from binding two external accounts to the same local account.
  • Disable the token exchange feature entirely if it is not in active use to block the token-exchange authentication path that can be abused for account misbinding.

CVSS Base Scores

version 4.0
version 3.1