CVE-2026-21636

CWE-284Improper Access ControlCWE-2817 documents7 sources
Severity
10.0CRITICAL
EPSS
0.0%
top 93.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs Node.jsNodejs Node
Timeline
PublishedJan 20

Description

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code exec

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

NVDnodejs/node.js25.0.025.3.0
CVEListV5nodejs/node25.2.125.2.1

🔴Vulnerability Details

3
CVEList
CVE-2026-21636: A flaw in Node2026-01-20
OSV
CVE-2026-21636: A flaw in Node2026-01-20
GHSA
GHSA-7xhv-hcmf-4rfv: A flaw in Node2026-01-20

📋Vendor Advisories

2
Red Hat
nodejs: Nodejs network segmentation bypass2026-01-20
Debian
CVE-2026-21636: nodejs - A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-21636 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-21636 (CRITICAL CVSS 10) | A flaw in Node.js's permission mode | cvebase.io