Home/News/n8n Workflow Platform Suffers Token Authentication Vulnerability
The Hacker News2 min read

By Interestana AI Editorial — AI-drafted, human-overseen. How we report

n8n Workflow Platform Suffers Token Authentication Vulnerability

n8n Workflow Platform Suffers Token Authentication Vulnerability

n8n, the workflow automation platform, has a critical vulnerability that could allow unauthorized access to user accounts on enterprise instances. The flaw, identified in the platform's token authentication process, occurs when enterprise instances are configured to trust more than one external token issuer. In such configurations, n8n incorrectly matches an incoming JSON Web Token (JWT) to a local user based solely on the 'sub' claim, disregarding the 'iss' (issuer) claim. This oversight means a valid token issued by one entity (Issuer A) but containing a 'sub' claim belonging to a user under a different issuer (Issuer B) could grant the attacker access to the legitimate user's account without needing their password.

This vulnerability poses a significant security risk, as it enables attackers to impersonate other users by crafting or obtaining a JWT with a specific 'sub' claim from a trusted issuer. The platform's failure to validate the issuer of the token before associating it with a local user account is the root cause. This could lead to unauthorized data access, manipulation of workflows, and other malicious activities depending on the compromised user's permissions within the n8n instance.

While the exact date of discovery or disclosure was not specified, the issue highlights the importance of robust authentication mechanisms, particularly in multi-tenant or multi-issuer environments. Secure authentication protocols require verification of both the token's issuer and its subject to ensure that only legitimate tokens from authorized sources are accepted and correctly mapped to user identities. n8n's implementation appears to have bypassed this crucial validation step, creating a significant security gap.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Get the weekly AI digest

AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.

Read next