Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54314

CVE-2026-54314: n8n Workflow Automation DoS Vulnerability

CVE-2026-54314 is a denial of service flaw in n8n workflow automation that allows attackers to cause memory exhaustion through malicious compressed archives. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-54314 Overview

CVE-2026-54314 is a denial-of-service vulnerability in n8n, an open source workflow automation platform. The Compression node's Decompress operation expands attacker-controlled archives into memory without enforcing a cap on decompressed output size. An unauthenticated attacker can submit a small compressed archive to a public webhook workflow that invokes this node. The decompression routine then consumes available memory and terminates the n8n process. All workflows running on the same instance are disrupted as a result. The flaw is tracked under CWE-409 (Improper Handling of Highly Compressed Data) and is resolved in n8n version 2.24.0.

Critical Impact

Unauthenticated remote attackers can crash an n8n instance through a single malformed archive, halting all hosted automation workflows.

Affected Products

  • n8n workflow automation platform versions prior to 2.24.0
  • Self-hosted n8n instances exposing webhook workflows that use the Compression node
  • n8n deployments using the Decompress operation on untrusted input

Discovery Timeline

  • 2026-06-23 - CVE-2026-54314 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-54314

Vulnerability Analysis

The vulnerability resides in the Compression node's Decompress operation. When the node processes an incoming archive, it expands the compressed payload into memory without validating the resulting size. A small input archive can expand to gigabytes of decompressed data, a class of attack commonly referred to as a decompression bomb or zip bomb.

When exposed through a public webhook workflow, the node accepts attacker-supplied data without authentication. The Node.js runtime hosting n8n exhausts its heap during decompression and the process terminates. Because n8n executes all workflows within a single process by default, the crash disrupts every workflow on the affected instance.

The issue maps to CWE-409, Improper Handling of Highly Compressed Data. Refer to the GitHub Security Advisory GHSA-jqpw-qww5-cj4c for vendor details.

Root Cause

The Decompress operation streams archive contents into memory buffers without enforcing a maximum decompressed size, output ratio, or per-entry limit. The implementation trusts the archive's declared structure rather than constraining resource consumption during expansion.

Attack Vector

An unauthenticated attacker identifies a public webhook endpoint that routes data into a workflow containing the Compression node configured for Decompress. The attacker sends an HTTP request containing a crafted archive only kilobytes in size that expands to a payload exceeding available memory. The n8n process aborts with an out-of-memory condition, terminating all in-flight workflows.

No authentication, user interaction, or elevated privileges are required. The attack is repeatable and can be automated against any exposed instance.

Detection Methods for CVE-2026-54314

Indicators of Compromise

  • Abrupt termination of the n8n process with out-of-memory exit codes or JavaScript heap out of memory errors in stdout or container logs
  • Webhook requests containing compressed payloads (Content-Type: application/zip, application/gzip, or similar) directed at workflows known to use the Compression node
  • Sudden spikes in resident set size (RSS) for the n8n Node.js process immediately preceding a crash
  • Repeated short-lived inbound requests followed by service restarts orchestrated by the container runtime or process supervisor

Detection Strategies

  • Inventory all workflows using the Compression node and identify those triggered by public webhooks
  • Monitor n8n process exit events and correlate restarts with inbound webhook traffic timestamps
  • Inspect reverse proxy or API gateway logs for unusually small compressed payloads followed by upstream 502 or 504 responses
  • Alert on Node.js heap allocation failures captured by container orchestration platforms or APM tooling

Monitoring Recommendations

  • Track memory utilization of the n8n process and trigger alerts on sustained growth above baseline
  • Forward n8n logs, reverse proxy access logs, and host-level metrics to a centralized analytics platform for correlation
  • Enable rate limiting and request size enforcement at the ingress layer and log violations for review

How to Mitigate CVE-2026-54314

Immediate Actions Required

  • Upgrade n8n to version 2.24.0 or later, which enforces output size limits on the Decompress operation
  • Audit all production workflows that invoke the Compression node and validate their exposure to untrusted input
  • Restrict public webhook endpoints that handle compressed data behind authentication or network access controls until patching is complete

Patch Information

The vulnerability is fixed in n8n 2.24.0. Review the GitHub Security Advisory GHSA-jqpw-qww5-cj4c for the upstream fix and apply the release through your standard deployment pipeline.

Workarounds

  • Disable or remove workflows that use the Compression node's Decompress operation on attacker-reachable inputs
  • Place an ingress proxy in front of n8n that enforces a maximum request body size on webhook endpoints
  • Run n8n with container memory limits and automatic restart policies to reduce blast radius while patching
  • Require authentication on webhook URLs that feed decompression logic, eliminating the unauthenticated attack path

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.