CVE-2026-54314
n8n: Denial of Service via ZIP decompression in webhook workflow
In short
n8n's Compression node allows attackers to send specially crafted ZIP files to public webhooks, causing the server to run out of memory and crash. This disrupts all workflows running on the same instance.
Technical detail
CWE-409 (Improper Restriction of Rendered UI Layers or Frames): The Decompress operation in n8n's Compression node lacks decompression size limits, enabling zip bomb attacks. An unauthenticated attacker can exploit public webhook workflows by uploading a small compressed archive that expands to massive sizes in memory, triggering denial of service through resource exhaustion affecting the entire n8n instance.
Summary generated and translated by AI from the official description.
n8n is an open source workflow automation platform. Prior to 2.24.0, the Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. This vulnerability is fixed in 2.24.0.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
n8n-io · n8nWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →