n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

Read full story on The Hacker News
Share
n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer
AI disclosure

Summary

n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss. A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never

Original reporting

Open original source

Related coverage

Read full article on The Hacker News

Get the AFBytes Brief

Major stories, AI-assisted analysis, and what to watch next. Free, monthly, unsubscribe anytime.