Listen to this Post
How CVE-2026-58661 Works
n8n is an open‑source workflow automation platform that exposes a data‑table file upload endpoint for handling workflow‑related file attachments. In versions prior to 2.28.0 (and prior to 1.123.58 on the 1.x branch), this endpoint suffers from a critical resource exhaustion flaw.
The root cause lies in the per‑request quota check. When a user uploads a file, the system validates the size of that single file against a configured limit (e.g., 10 MB). However, the check does not account for files that have already been written to the shared temporary directory (/tmp or a similar location) by previous upload requests. The temporary directory is shared across all users and sessions, and files remain there until a periodic cleanup job (e.g., a cron task or an internal garbage collector) removes them.
Because the quota validation only looks at the current upload payload, an authenticated attacker can repeatedly upload files—each within the per‑request size limit—and cause them to pile up in the temporary folder. Since the cleanup runs only at fixed intervals (e.g., every hour or every day), the accumulated data can grow far beyond the intended per‑user or per‑request quota, eventually filling the entire disk partition.
This is a classic uncontrolled resource consumption vulnerability (CWE‑400). The attack requires only low privileges (authenticated user) and can be performed remotely over the network. No user interaction is needed, and the attack complexity is low. The impact is purely on availability: once the disk is full, the n8n application may crash, become unresponsive, or fail to write logs, process workflows, or accept new uploads. In multi‑tenant deployments, one malicious user can exhaust disk space for all tenants.
The vulnerability is particularly dangerous because the accumulation can happen gradually over time, evading simple monitoring that only alerts on sudden spikes. The per‑request quota mechanism is fundamentally flawed—it enforces a limit on individual uploads but not on the total volume of files residing in the shared temporary storage. The fix, implemented in versions 2.28.0 and 1.123.58, corrects this by maintaining a global counter of disk usage for the temporary directory and rejecting new uploads when the total exceeds a safe threshold.
DailyCVE Form
| Field | Answer |
|–||
| Platform | n8n |
| Version | <2.28.0, <1.123.58 |
| Vulnerability | Disk Space Exhaustion |
| Severity | Critical |
| Date | 2026-07-10 |
| Prediction | 2026-07-20 (expected patch release) |
What Undercode Say
Analytics & Detection
Monitoring disk usage and temporary directory growth is essential to detect exploitation early. The following commands and scripts can help administrators spot anomalous accumulation.
Check total disk usage of the temporary directory used by n8n
du -sh /path/to/n8n/temp
List the 10 largest files in the temporary directory
find /path/to/n8n/temp -type f -exec ls -lh {} \; | sort -rh | head -10
Monitor the growth rate of the temp folder every 5 seconds
watch -n 5 'du -sh /path/to/n8n/temp'
Set up a cron job to alert if temp usage exceeds 80% of the partition
!/bin/bash
USAGE=$(df /path/to/n8n/temp | awk 'NR==2 {print $5}' | sed 's/%//')
if [ $USAGE -gt 80 ]; then
echo "WARNING: n8n temp directory usage is at ${USAGE}%" | mail -s "Disk Alert" [email protected]
fi
Log Analysis
Search n8n logs for repeated upload events from the same user:
grep "data-table/upload" /var/log/n8n.log | awk '{print $1, $9}' | sort | uniq -c | sort -nr
Exploit
An authenticated attacker can exploit this vulnerability by sending a large number of file upload requests to the endpoint `/rest/data-table/upload` (or similar). Each request carries a file that is small enough to pass the per‑request quota, but the total size of all files quickly exhausts disk space.
Example attack flow:
- Obtain a valid session token (authenticated as a low‑privilege user).
2. For i in {1..10000}; do
curl -X POST https://target.n8n.instance/rest/data-table/upload \
-H “Authorization: Bearer $TOKEN” \
-F “file=@/dev/zero;filename=payload.bin” \
-F “size=10485760” 10 MB, within quota
done
- Each upload writes a 10 MB file to the shared temporary directory.
- After 100 iterations, 1 GB is consumed; after 10,000 iterations, 100 GB is consumed—until the disk is full.
Because the cleanup runs only periodically (e.g., every 24 hours), the attacker can sustain the attack over days, making it difficult to distinguish from normal usage.
Protection
- Upgrade immediately to n8n 2.28.0 or 1.123.58 (or later). These versions include the fix that properly accounts for all files in the temporary directory and enforce a global quota.
- Apply additional monitoring on disk usage, especially on the partition where the temporary directory resides. Set up alerts at 70%, 80%, and 90% usage.
- Reduce the cleanup interval for temporary files. If your deployment allows, configure the cleanup job to run every 15–30 minutes instead of hourly or daily.
- Restrict upload permissions to only trusted users, and consider implementing rate limiting on the upload endpoint (e.g., using a reverse proxy or API gateway).
- Isolate the temporary directory to a dedicated partition or mount point with a small size, so that exhaustion does not affect the root filesystem or other critical services.
Impact
- Denial of Service (DoS): The most direct impact is complete disk exhaustion, causing the n8n application to crash or become unresponsive. All workflows, integrations, and automated processes that depend on n8n will fail.
- Service Disruption: In multi‑tenant environments, one attacker can bring down the entire n8n instance, affecting all tenants and their business operations.
- Logging and Auditing Failure: When the disk is full, the application cannot write logs, making forensic analysis and incident response difficult.
- Cascading Failures: Other services that share the same disk partition (e.g., databases, monitoring agents) may also fail, amplifying the overall impact.
- CVSS Score: 5.3 (Medium) under CVSS v4.0 [AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N], but classified as Critical by VulDB due to the ease of exploitation and the potential for complete service outage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

