CVE-2026-48617

LOW

Node - Improper Access Control

Title source: rule
STIX 2.1

Description

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Scores

CVSS v3 1.8
EPSS 0.0021
EPSS Percentile 10.9%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (3)
nodejs/node 22.22.3
nodejs/node 24.16.0
nodejs/node 26.3.0
Published Jun 18, 2026
Tracked Since Jun 18, 2026