Description
n8n is an open source workflow automation platform. Prior to 2.24.0, the Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. This vulnerability is fixed in 2.24.0.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n is an open source workflow automation platform. The vulnerability is caused by the Compression node's Decompress operation in n8n, which prior to version 2.24.0 expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker can create a small compressed archive and send it to a public webhook workflow that utilizes this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. This vulnerability is fixed in 2.24.0. The flaw illustrates CWE-409: Uncontrolled Memory Allocation. The CVSS score of 6.3 indicates moderate severity, and the absence of an EPSS score means the current exploitation probability is unclear. Exploitation requires only access to a public webhook endpoint, making the attack straightforward. Successful exploitation triggers an out‑of‑memory condition, terminating the n8n process and bringing down all running workflows, potentially causing significant disruption to automation tasks.

Affected Systems

Any deployment of the n8n workflow automation platform using the Compression node before version 2.24.0 is vulnerable. The issue applies to n8n‑io and affects all public‑webhook workflows that include the Decompress operation.

Risk and Exploitability

The risk posed by this flaw is moderate, as reflected by the CVSS score of 6.3. Because the vulnerability does not require authentication and relies on a public webhook endpoint, the likelihood of exploitation is contingent on the exposure of the workflow. An unauthenticated attacker can craft a small ZIP archive that, when processed by the Decompress operation, loads an enormous amount of data into memory, triggering an out‑of‑memory condition and forcefully terminating the n8n process. The resulting crash brings down all workflows running in the same instance, causing a service disruption. Although no EPSS score is available, the absence of a KEV listing indicates no known widespread exploitation yet, but the simplicity of the attack vector (any user with access to a public webhook URL) means the vulnerability could be exploited early if the handler is left exposed.

Generated by OpenCVE AI on June 24, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade.24.0 or later to remove the memory‑unbounded Decompress flaw.
  • If an immediate upgrade is not possible, restrict public webhook access or disable the Compression node for externally exposed workflows, ensuring no user can trigger the decompression operation.
  • Configure container or host resource limits (CPU, memory) to prevent a single process from exhausting system resources, and monitor n8n logs and metrics for unexpected memory spikes or restarts.

Generated by OpenCVE AI on June 24, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jqpw-qww5-cj4c n8n: Denial of Service via ZIP decompression in webhook workflow
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 2.24.0, the Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. This vulnerability is fixed in 2.24.0.
Title n8n: Denial of Service via ZIP decompression in webhook workflow
Weaknesses CWE-409
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:56:50.852Z

Reserved: 2026-06-12T18:42:02.223Z

Link: CVE-2026-54314

cve-icon Vulnrichment

Updated: 2026-06-24T13:56:27.231Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)