CVE-2026-48936
published 2026-06-26CVE-2026-48936: A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This…
PriorityP412low3.3CVSS 3.0
AVLACLPRLUINSUCNILAN
EPSS
0.15%
4.5th percentile
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.
This vulnerability affects one supported release line: **Node.js 26**.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.03.3LOWCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vendor_redhat3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs: Node.js: Local server can be started without network permission via Permission API flaw
vendor_redhat·2026-06-26·CVSS 3.3
CVE-2026-48936 [LOW] CWE-648 nodejs: Node.js: Local server can be started without network permission via Permission API flaw
nodejs: Node.js: Local server can be started without network permission via Permission API flaw
A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the `--allow-net` permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or integrity impact.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: nodejs22 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs24 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nod
GHSA
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.
ghsa_unreviewed·2026-06-26
CVE-2026-48936 [LOW] CWE-284 A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.
This vulnerability affects one supported release line: **Node.js 26**.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48936 nodejs24: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48936 [LOW] CVE-2026-48936 nodejs24: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
CVE-2026-48936 nodejs24: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48936 nodejs22: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48936 [LOW] CVE-2026-48936 nodejs22: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
CVE-2026-48936 nodejs22: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48936 nodejs20: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48936 [LOW] CVE-2026-48936 nodejs20: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
CVE-2026-48936 nodejs20: Node.js: Local server can be started without network permission via Permission API flaw [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48936 nodejs: Node.js: Local server can be started without network permission via Permission API flaw
bugzilla·2026-06-26·CVSS 3.3
CVE-2026-48936 [LOW] CVE-2026-48936 nodejs: Node.js: Local server can be started without network permission via Permission API flaw
CVE-2026-48936 nodejs: Node.js: Local server can be started without network permission via Permission API flaw
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.
This vulnerability affects one supported release line: **Node.js 26**.
2026-06-26
Published