CVE-2026-48935
published 2026-06-26CVE-2026-48935: A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This…
PriorityP412low3.3CVSS 3.0
AVLACLPRLUINSUCNILAN
EPSS
0.15%
4.5th percentile
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.03.3LOWCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vendor_redhat3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g.
ghsa_unreviewed·2026-06-26
CVE-2026-48935 [LOW] CWE-276 A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g.
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Red Hat
nodejs: Node.js: Unauthorized file metadata modification
vendor_redhat·2026-06-26·CVSS 3.3
CVE-2026-48935 [LOW] CWE-279 nodejs: Node.js: Unauthorized file metadata modification
nodejs: Node.js: Unauthorized file metadata modification
A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: nodejs22 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs24 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs (Red Hat Enterprise Linux 8) - Fix deferred
Package: nodejs:22/nodejs (Red Hat Enterprise Linux 9) - F
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48935 nodejs20: Node.js: Unauthorized file metadata modification [fedora-all]
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48935 [LOW] CVE-2026-48935 nodejs20: Node.js: Unauthorized file metadata modification [fedora-all]
CVE-2026-48935 nodejs20: Node.js: Unauthorized file metadata modification [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48935 nodejs: Node.js: Unauthorized file metadata modification
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48935 [LOW] CVE-2026-48935 nodejs: Node.js: Unauthorized file metadata modification
CVE-2026-48935 nodejs: Node.js: Unauthorized file metadata modification
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Bugzilla
CVE-2026-48935 nodejs22: Node.js: Unauthorized file metadata modification [fedora-all]
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48935 [LOW] CVE-2026-48935 nodejs22: Node.js: Unauthorized file metadata modification [fedora-all]
CVE-2026-48935 nodejs22: Node.js: Unauthorized file metadata modification [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48935 nodejs24: Node.js: Unauthorized file metadata modification [fedora-all]
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48935 [LOW] CVE-2026-48935 nodejs24: Node.js: Unauthorized file metadata modification [fedora-all]
CVE-2026-48935 nodejs24: Node.js: Unauthorized file metadata modification [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-26
Published