CVE-2026-48934
published 2026-06-26CVE-2026-48934: A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines…
PriorityP423medium4.3CVSS 3.0
AVNACLPRLUINSUCLINAN
EPSS
0.25%
16.2th percentile
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs: Node.js: Certification validation bypass in TLS host verification
vendor_redhat·2026-06-26·CVSS 4.3
CVE-2026-48934 [MEDIUM] CWE-295 nodejs: Node.js: Certification validation bypass in TLS host verification
nodejs: Node.js: Certification validation bypass in TLS host verification
A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: nodejs22 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs24 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs (Red Hat Enterprise
GHSA
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
ghsa_unreviewed·2026-06-26
CVE-2026-48934 [MEDIUM] A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48934 nodejs20: Node.js: Certification validation bypass in TLS host verification [fedora-all]
bugzilla·2026-06-26·CVSS 4.3
CVE-2026-48934 [MEDIUM] CVE-2026-48934 nodejs20: Node.js: Certification validation bypass in TLS host verification [fedora-all]
CVE-2026-48934 nodejs20: Node.js: Certification validation bypass in TLS host verification [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48934 nodejs: Node.js: Certification validation bypass in TLS host verification
bugzilla·2026-06-26·CVSS 4.3
CVE-2026-48934 [MEDIUM] CVE-2026-48934 nodejs: Node.js: Certification validation bypass in TLS host verification
CVE-2026-48934 nodejs: Node.js: Certification validation bypass in TLS host verification
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Bugzilla
CVE-2026-48934 nodejs24: Node.js: Certification validation bypass in TLS host verification [fedora-all]
bugzilla·2026-06-26·CVSS 4.3
CVE-2026-48934 [MEDIUM] CVE-2026-48934 nodejs24: Node.js: Certification validation bypass in TLS host verification [fedora-all]
CVE-2026-48934 nodejs24: Node.js: Certification validation bypass in TLS host verification [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48934 nodejs22: Node.js: Certification validation bypass in TLS host verification [fedora-all]
bugzilla·2026-06-26·CVSS 4.3
CVE-2026-48934 [MEDIUM] CVE-2026-48934 nodejs22: Node.js: Certification validation bypass in TLS host verification [fedora-all]
CVE-2026-48934 nodejs22: Node.js: Certification validation bypass in TLS host verification [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-26
Published