CVE-2026-54314: n8n decompression bomb DoS

Q: Is CVE-2026-54314 actively exploited?

No confirmed active exploitation of CVE-2026-54314 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54314?

1. Upgrade to n8n 2.24.0 or later immediately—this is the only full remediation. 2. Post-upgrade, configure N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES (recommended: 50MB or less) and N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES to match your legitimate use cases. 3. If patching is delayed, add 'n8n-nodes-base.compression' to NODES_EXCLUDE to disable the node instance-wide. 4. Audit all workflows with public webhooks and enforce authentication on any that accept file uploads. 5. Apply container-level memory limits (e.g., Docker --memory) as defense-in-depth to bound OOM blast radius. 6. Monitor for anomalously large POST bodies or high-frequency webhook calls from single source IPs as an indicator of probing or active exploitation.

Q: What systems are affected by CVE-2026-54314?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, LLM pipeline automation.

Q: What is the CVSS score for CVE-2026-54314?

CVE-2026-54314 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.06%.

CISO Take

n8n's Compression node decompressed attacker-controlled archives without enforcing memory or entry-count limits, allowing any unauthenticated adversary to crash an entire n8n instance—and every workflow running in it—by posting a tiny crafted zip bomb to a public webhook endpoint. The EPSS score sits at the 82nd percentile, indicating above-average real-world exploitation interest relative to the full CVE population; the trivial crafting effort and zero authentication requirement make opportunistic scanning realistic even without a CISA KEV listing. n8n is increasingly deployed as an AI agent orchestration layer connecting LLMs, APIs, and sensitive business data pipelines, so a successful DoS silences not just one workflow but the entire automation stack for all users of the instance. Upgrade to n8n 2.24.0 immediately and tune the new environment variables (N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES, N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES); if patching is delayed, exclude the node via NODES_EXCLUDE or restrict all public webhooks to authenticated endpoints.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium severity (CVSS 5.9, AV:N/AC:H/PR:N/UI:N) with a purely availability impact. The AC:H rating reflects the prerequisite of a publicly exposed webhook using the Compression node—not a universal condition, but common in workflow automation deployments that process file uploads. No confidentiality or integrity exposure. The 82nd EPSS percentile combined with trivial exploit construction (zip bombs are script-kiddie territory) and zero required privileges elevates operational risk above what the CVSS score alone conveys. The 105 historical CVEs in this package signal a recurring pattern of security debt that warrants elevated scrutiny of any n8n deployment.

How does the attack unfold?

Reconnaissance

Attacker scans internet-facing hosts for exposed n8n instances and probes /webhook/* endpoints to identify workflows that accept compressed file input via the Compression node.

AML.T0006

Weapon Crafting

Attacker generates a zip bomb—a sub-1KB compressed archive that decompresses to gigabytes—using widely available tools requiring no specialized knowledge.

Exploitation

Attacker sends a single unauthenticated HTTP POST containing the zip bomb to the target n8n webhook, triggering unbounded in-memory decompression with no size or entry-count guardrails.

AML.T0049

Impact: Full Instance DoS

The n8n process is killed by the OS OOM killer, terminating all active workflows and AI agent pipelines across the entire instance until manually restarted.

AML.T0029

Reconnaissance

Attacker scans internet-facing hosts for exposed n8n instances and probes /webhook/* endpoints to identify workflows that accept compressed file input via the Compression node.

AML.T0006

Weapon Crafting

Attacker generates a zip bomb—a sub-1KB compressed archive that decompresses to gigabytes—using widely available tools requiring no specialized knowledge.

Exploitation

Attacker sends a single unauthenticated HTTP POST containing the zip bomb to the target n8n webhook, triggering unbounded in-memory decompression with no size or entry-count guardrails.

AML.T0049

Impact: Full Instance DoS

The n8n process is killed by the OS OOM killer, terminating all active workflows and AI agent pipelines across the entire instance until manually restarted.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.24.0	`2.24.0`
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

5.9 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

Upgrade to n8n 2.24.0 or later immediately—this is the only full remediation.
Post-upgrade, configure N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES (recommended: 50MB or less) and N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES to match your legitimate use cases.
If patching is delayed, add 'n8n-nodes-base.compression' to NODES_EXCLUDE to disable the node instance-wide.
Audit all workflows with public webhooks and enforce authentication on any that accept file uploads.
Apply container-level memory limits (e.g., Docker --memory) as defense-in-depth to bound OOM blast radius.
Monitor for anomalously large POST bodies or high-frequency webhook calls from single source IPs as an indicator of probing or active exploitation.

How is it classified?

DoS Agent Framework AML.T0006 - Active Scanning AML.T0029 - Denial of AI Service AML.T0034.001 - Resource-Intensive Queries AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15(4) - Robustness against adversarial inputs

ISO 42001

A.6.2 - AI system operational and performance monitoring

NIST AI RMF

MANAGE 2.2 - Risk treatment for AI system availability

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-54314?

n8n's Compression node decompressed attacker-controlled archives without enforcing memory or entry-count limits, allowing any unauthenticated adversary to crash an entire n8n instance—and every workflow running in it—by posting a tiny crafted zip bomb to a public webhook endpoint. The EPSS score sits at the 82nd percentile, indicating above-average real-world exploitation interest relative to the full CVE population; the trivial crafting effort and zero authentication requirement make opportunistic scanning realistic even without a CISA KEV listing. n8n is increasingly deployed as an AI agent orchestration layer connecting LLMs, APIs, and sensitive business data pipelines, so a successful DoS silences not just one workflow but the entire automation stack for all users of the instance. Upgrade to n8n 2.24.0 immediately and tune the new environment variables (N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES, N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES); if patching is delayed, exclude the node via NODES_EXCLUDE or restrict all public webhooks to authenticated endpoints.

Is CVE-2026-54314 actively exploited?

No confirmed active exploitation of CVE-2026-54314 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54314?

1. Upgrade to n8n 2.24.0 or later immediately—this is the only full remediation. 2. Post-upgrade, configure N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES (recommended: 50MB or less) and N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES to match your legitimate use cases. 3. If patching is delayed, add 'n8n-nodes-base.compression' to NODES_EXCLUDE to disable the node instance-wide. 4. Audit all workflows with public webhooks and enforce authentication on any that accept file uploads. 5. Apply container-level memory limits (e.g., Docker --memory) as defense-in-depth to bound OOM blast radius. 6. Monitor for anomalously large POST bodies or high-frequency webhook calls from single source IPs as an indicator of probing or active exploitation.

What systems are affected by CVE-2026-54314?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, LLM pipeline automation.

What is the CVSS score for CVE-2026-54314?

CVE-2026-54314 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.06%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow orchestrationLLM pipeline automation

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0029 Denial of AI Service

AML.T0034.001 Resource-Intensive Queries

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15(4)

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

## Impact The Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. ## Patches The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability. The fix introduces configurable limits on decompressed output size (`N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES`) and ZIP entry count (`N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES`). ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Disable the Compression node by adding `n8n-nodes-base.compression` to the `NODES_EXCLUDE` environment variable. - Restrict public webhook workflows that accept archive file uploads to authenticated endpoints only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker scans Shodan or Censys for exposed n8n instances, identifying hosts responding on common n8n ports with /webhook/* URL patterns. They send test payloads to discover endpoints that accept compressed file input and return 200 responses, confirming the Compression node is active in the workflow. Using a standard zip bomb generator—a few lines of Python or a prebuilt tool—they craft a ~1KB archive that decompresses to several gigabytes. A single unauthenticated HTTP POST to the webhook URL triggers unbounded decompression inside the n8n process; the OS OOM killer terminates the process, halting all AI agent workflows, LLM integrations, and business automations running on that instance until an operator manually restarts the service.

Weaknesses (CWE)

CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Primary

CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification): The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Source: MITRE CWE corpus.