Allocation of Resources Without Limits or Throttling Affecting n8n package, versions <1.123.58>=2.0.0-rc.0 <2.28.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.24% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-N8N-17954280
  • published12 Jul 2026
  • disclosed10 Jul 2026
  • creditCodeByMoriarty

Introduced: 10 Jul 2026

NewCVE-2026-58661  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade n8n to version 1.123.58, 2.28.0 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the MulterUploadMiddleware in the data-table upload path. An authenticated user can repeatedly upload CSV files to the data-table endpoint by sending requests that are accepted by the per-request file-size check but do not account for files already written to the shared temporary upload directory. Those orphaned uploads accumulate on disk until cleanup runs, allowing the attacker to consume the host’s temporary storage and disrupt file uploads and other operations that depend on available disk space.

Notes

  • The vulnerable path is the authenticated data-table CSV upload flow backed by the shared temporary upload directory; the quota decision only considered the current request, so accumulated orphaned files from prior uploads were not counted toward the budget.
  • The issue is tied to deployments using the data-table storage budget in MulterUploadMiddleware rather than generic file uploads elsewhere in n8n.

Workarounds

  • Restrict access to the n8n instance to fully trusted users only; this reduces the chance that an authenticated but untrusted user can repeatedly upload CSV files and fill the shared temporary upload directory.
  • Set uploadMaxFileSize to a low value; this limits the size of each individual upload and reduces how quickly a user can consume temporary disk space with repeated uploads.
  • Monitor and alert on disk usage in the n8n temporary upload directory; this helps detect growing orphaned uploads before temporary storage exhaustion disrupts uploads and other disk-dependent operations.

CVSS Base Scores

version 4.0
version 3.1