CVE-2026-54314: n8n: Denial of Service via ZIP decompression in webhook workflow

June 16, 2026

The Compression node’s Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance.

References

github.com/advisories/GHSA-jqpw-qww5-cj4c
github.com/n8n-io/n8n/security/advisories/GHSA-jqpw-qww5-cj4c
nvd.nist.gov/vuln/detail/CVE-2026-54314

Code Behaviors & Features

Detect and mitigate CVE-2026-54314 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →