n8n, the workflow automation platform, handed out the wrong
accounts at login. On Enterprise instances configured to trust more
than one external token issuer, it matched an incoming JWT to a
local user on the sub claim alone and ignored iss. A
valid token from issuer A carrying a sub that belongs to
someone under issuer B logged you in as them. Their password
never
Read more https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html

