CVE-2026-48928
published 2026-06-26CVE-2026-48928: A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.25%
15.9th percentile
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv3.04.2MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Node.js up to 22.22.3/24.16.0/26.3.0 access control (Nessus ID 323047)
vuldb·2026-06-27·CVSS 5.4
CVE-2026-48928 [MEDIUM] Node.js up to 22.22.3/24.16.0/26.3.0 access control (Nessus ID 323047)
A vulnerability was found in Node.js up to 22.22.3/24.16.0/26.3.0. It has been classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper access controls.
This vulnerability is traded as CVE-2026-48928. It is possible to initiate the attack remotely. There is no exploit available.
GHSA
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
ghsa_unreviewed·2026-06-26
CVE-2026-48928 [MEDIUM] CWE-284 A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Red Hat
Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
vendor_redhat·2026-06-26·CVSS 5.4
CVE-2026-48928 [MEDIUM] CWE-289 Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: nodejs22 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs24 (Red Hat Enterprise Linux 10) - Fix de
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48928 nodejs20: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
bugzilla·2026-06-26·CVSS 5.4
CVE-2026-48928 [MEDIUM] CVE-2026-48928 nodejs20: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
CVE-2026-48928 nodejs20: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48928 nodejs24: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
bugzilla·2026-06-26·CVSS 5.4
CVE-2026-48928 [MEDIUM] CVE-2026-48928 nodejs24: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
CVE-2026-48928 nodejs24: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48928 Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
bugzilla·2026-06-26·CVSS 5.4
CVE-2026-48928 [MEDIUM] CVE-2026-48928 Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
CVE-2026-48928 Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Bugzilla
CVE-2026-48928 nodejs22: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
bugzilla·2026-06-26·CVSS 5.4
CVE-2026-48928 [MEDIUM] CVE-2026-48928 nodejs22: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
CVE-2026-48928 nodejs22: Node.js: Trust-policy bypass due to hostname matching inconsistency [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-26
Published