Skip to main content

n8n CVE-2026-54314

| EUVDEUVD-2026-38462 MEDIUM
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-06-16 https://github.com/n8n-io/n8n GHSA-jqpw-qww5-cj4c
6.3
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AC:H reflects the non-default prerequisite of a public webhook workflow using the Compression node; PR:N because no authentication is needed once that workflow exists; C:N/I:N as impact is purely availability.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 17:07 NVD
5.9 (MEDIUM) 6.3 (MEDIUM)
Source Code Evidence Fetched
Jun 17, 2026 - 00:34 vuln.today
Analysis Generated
Jun 17, 2026 - 00:34 vuln.today

DescriptionCVE.org

Impact

The Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance.

Patches

The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability. The fix introduces configurable limits on decompressed output size (N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES) and ZIP entry count (N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES).

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Disable the Compression node by adding n8n-nodes-base.compression to the NODES_EXCLUDE environment variable.
  • Restrict public webhook workflows that accept archive file uploads to authenticated endpoints only.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Denial of service via ZIP decompression bomb in n8n's Compression node affects all versions prior to 2.24.0, allowing unauthenticated remote attackers to terminate the entire n8n process by submitting a maliciously crafted archive to any public webhook workflow that uses the Decompress operation. Memory exhaustion crashes the host process, taking every workflow on the instance offline simultaneously - a significant blast radius in production deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public n8n webhook using Compression node
Delivery
Craft minimal ZIP bomb archive
Exploit
Submit archive via unauthenticated HTTP POST
Execution
Node decompresses without size limits
Persist
Memory exhaustion terminates n8n process
Impact
All instance workflows disrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires the target n8n instance to have at least one public (unauthenticated) webhook workflow explicitly configured to pass attacker-controlled archive file input through the Compression node's Decompress operation - this is a non-default, intentionally configured workflow pattern, not something present in a fresh n8n installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) accurately captures the key tension: the attack is network-reachable and requires no authentication, but AC:H reflects a critical deployment prerequisite - the target instance must expose a public webhook workflow explicitly wired to the Compression node's Decompress operation, which is not a default configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates an internet-facing n8n instance and discovers a public (unauthenticated) webhook URL associated with a workflow that passes uploaded files through the Compression node's Decompress operation. The attacker constructs a ZIP bomb - a legitimate ZIP archive of a few kilobytes containing deeply nested or highly repetitive data that decompresses to tens of gigabytes - and submits it as a multipart file upload via a single HTTP POST to the webhook endpoint. …
Remediation Vendor-released patch: n8n 2.24.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy