n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer
Summary
The workflow automation platform n8n has a flaw in its token exchange mechanism. On enterprise instances configured with multiple token issuers, the platform incorrectly matches incoming JWTs to local users based solely on the 'sub' claim, ignoring the 'iss' claim. This allows a valid token from one issuer to log a user in as someone else if their 'sub' claim matches a user under a different issuer.
IFF Assessment
This vulnerability allows attackers to impersonate other users by exploiting a flawed token validation process, posing a direct threat to system integrity and user accounts.
Severity
The vulnerability allows for authentication bypass and account takeover by impersonating other users. It has a high impact on confidentiality and integrity, with a relatively low attack complexity.
Defender Context
This issue highlights the importance of robust token validation in authentication systems. Defenders should ensure that their applications rigorously validate all claims within JWTs, especially the issuer ('iss') claim, to prevent token replay and impersonation attacks. Regularly updating software and monitoring for security advisories related to authentication components are crucial steps.