CVE-2026-54314 | n8n is an open source workflow automation platform. Prior to… | CVSS 6.3 MEDIUM

Description

n8n is an open source workflow automation platform. Prior to 2.24.0, the Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. This vulnerability is fixed in 2.24.0.

Metadata

CVE ID: CVE-2026-54314
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 18:42 UTC
Published: 2026-06-23 15:33 UTC
Last updated: 2026-06-23 15:33 UTC
Primary CWE: CWE-409
CWE-409: Improper Handling of Highly Compressed Data (Data A…
Vendor / Product: n8n-io / n8n
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
n8n-io	n8n	—	< 2.24.0

Weakness (CWE)

CWE	Source	Description
CWE-409	cna	CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (1)

https://github.com/n8n-io/n8n/security/advisories/GHSA-jqpw-qww5-cj4c https://github.com/n8n-io/n8n/security/advisories/GHSA-jqpw-qww5-cj4c