CVE-2026-48617

Summary

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport() Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Affected Software

VendorProductVersion RangeStatus
nodejsnode22.22.3 <= 22.22.3affected
nodejsnode24.16.0 <= 24.16.0affected
nodejsnode26.3.0 <= 26.3.0affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control - Generic

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References