CVE-2026-21716Missing Authorization in Node

CWE-862Missing AuthorizationCWE-279Incorrect Execution-Assigned Permissions9 documents8 sources
Severity
3.3LOWNVD
EPSS
0.0%
top 99.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NodejsNodejs Node
Timeline
PublishedMar 30

Description

An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

Alpinenodejs/nodejs< 22.22.2-r0+2
Debiannodejs/nodejs< 20.19.2+dfsg-1+deb13u2+1
CVEListV5nodejs/node20.20.120.20.1+3

🔴Vulnerability Details

4
GHSA
GHSA-22vj-v4r3-878v: An incomplete fix for CVE-2024-36137 leaves `FileHandle2026-03-30
CVEList
CVE-2026-21716: An incomplete fix for CVE-2024-36137 leaves `FileHandle2026-03-30
OSV
CVE-2026-21716: An incomplete fix for CVE-2024-36137 leaves `FileHandle2026-03-30
OSV
CVE-2026-21716: An incomplete fix for CVE-2024-36137 leaves `FileHandle2026-03-30

📋Vendor Advisories

2
Red Hat
nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.2026-03-30
Debian
CVE-2026-21716: nodejs - An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-21716 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-21716 nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.2026-03-30
CVE-2026-21716 — Missing Authorization in Nodejs Node | cvebase