The n8n workflow automation platform mishandled JWT authentication on multi‑issuer Enterprise setups, matching users solely on the sub claim and ignoring the iss claim. This flaw lets a valid token from one issuer log in as a user belonging to another issuer, bypassing passwords entirely.
मुख्य बिंदु (Key Takeaways)
- n8n Enterprise incorrectly validates JWTs by trusting only the sub claim, ignoring the issuer (iss) claim.
- A token issued by Issuer A can authenticate as a user whose identifier belongs to Issuer B, enabling cross‑issuer logins.
- Mitigation requires strict issuer verification, token‑refresh limits, and immediate patching of affected instances.
n8n is a popular open‑source workflow automation tool that offers Single Sign‑On (SSO) via external identity providers (IdPs). The authentication flow relies on JSON Web Tokens (JWT), where two claims are critical: iss (the token’s issuer) and sub (the subject or user identifier). In a correctly implemented system, both claims are verified before granting access.
Technical Flaw Uncovered
Security researchers discovered that in n8n’s multi‑issuer configuration, the login routine only compares the sub claim against local user records, completely disregarding the iss claim. Consequently, a malicious actor who obtains a legitimate JWT from Issuer A—containing a sub value that matches a user under Issuer B—can be authenticated as that user without ever providing a password.
Potential Impact on Enterprises
This vulnerability is especially dangerous for organizations that trust several IdPs (e.g., Azure AD, Okta, Keycloak). Once an attacker achieves a cross‑issuer login, they can access sensitive workflows, extract confidential data, or automate malicious actions. Beyond immediate data loss, the breach may trigger regulatory non‑compliance penalties under GDPR, ISO 27001, or other standards.
Remediation and Patch Details
n8n responded promptly with a security update that enforces strict issuer validation during JWT parsing. Administrators are urged to upgrade all Enterprise instances to the latest version and adopt the following hardening measures:
- Maintain a whitelist of trusted issuers and reject any token whose iss claim is not explicitly allowed.
- Shorten token‑refresh windows to limit the usefulness of stolen tokens.
- Implement continuous audit logging for login events and set alerts on anomalous cross‑issuer patterns.
Broader Lessons for the Industry
The incident underscores the importance of a security‑first mindset when integrating JWT‑based SSO, particularly in multi‑tenant or multi‑issuer environments. Organizations should not rely solely on vendor patches; they must also establish robust identity‑governance frameworks and conduct regular code‑review audits for authentication pathways.