n8n's workflow automation platform contains an authentication bypass vulnerability affecting Enterprise instances configured with multiple external token issuers. The flaw allows attackers to assume the identity of arbitrary users by presenting valid JSON Web Tokens (JWTs) from one issuer while claiming the subject identity of a user registered under a different issuer.
The vulnerability stems from improper JWT validation. n8n's authentication logic checked only the `sub` (subject) claim when matching incoming tokens to local user accounts. It failed to validate the `iss` (issuer) claim, creating a mismatch between token origin and user identity verification. An attacker with a valid JWT from issuer A could use it to authenticate as any user whose `sub` value exists in the system, regardless of which issuer that user actually authenticates through.
This bypasses password requirements entirely. An attacker needs only knowledge of a target user's subject identifier and access to a valid token from any trusted issuer. In multi-tenant or federated authentication environments, this represents severe lateral movement risk.
The vulnerability applies specifically to n8n Enterprise deployments using multiple configured token issuers. Standard n8n instances with single issuer configurations face reduced exposure, though organizations should verify their authentication topology. Users relying on JWT-based external authentication—particularly those integrating with multiple identity providers—require immediate patching.
n8n likely released fixes addressing the `iss` claim validation in subsequent versions. Organizations running Enterprise instances should check their deployment configurations and apply available security updates. Review authentication logs for suspicious cross-issuer token usage patterns. Organizations should also audit which external issuers currently have trust relationships with their n8n deployments.
The vulnerability demonstrates how JWT validation errors compound in multi-issuer architectures. Proper implementation requires checking both `sub` and `iss` claims together as a composite user identifier, not relying on subject
