Description
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Published: 2026-06-26
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A hostname matching inconsistency in Node.js can allow an attacker to bypass the trust policy in a multi-context mTLS configuration, potentially granting unauthorized access to resources protected by that policy. The flaw falls under CWE‑284, reflecting improper access control, and under CWE‑289, indicating improper verification of the server certificate and its chain. The consequence is that code running in a validated TLS context may incorrectly trust an attacker’s certificate, leading to confidentiality or integrity violations.

Affected Systems

Node.js versions 22, 24, and 26 are affected. The issue is present in all supported release lines, impacting any project that relies on bundled Node.js binaries or is installed from the official distribution.

Risk and Exploitability

The CVSS score of 4.2 indicates a moderate risk, and because the EPSS score is less than 1% the likelihood of exploitation is currently unclear. The vulnerability is not listed in the CISA KEV catalog. The attack requires an environment that uses multi-context mTLS, and to succeed an attacker would need to establish an mTLS connection with a hostname that triggers the mismatch logic. Based on the description, the likely attack vector is via network connections to an application that has enabled multi-context TLS; no public exploitation evidence has been reported.

Generated by OpenCVE AI on June 27, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Node.js release that incorporates the hostname matching fix.
  • If upgrade is not immediately possible, reconfigure mTLS contexts to enforce explicit hostname validation or disable multi-context mTLS.
  • Monitor TLS handshake logs for unexpected or mismatched hostnames and review access control policies.

Generated by OpenCVE AI on June 27, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Node.js Hostname Matching Inconsistency Allows Trust‑Policy Bypass in Multi‑Context mTLS Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
Weaknesses CWE-289
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Fri, 26 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js Hostname Matching Inconsistency Allows Trust‑Policy Bypass in Multi‑Context mTLS

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 4.2, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-26T13:36:28.487Z

Reserved: 2026-05-26T15:00:06.427Z

Link: CVE-2026-48928

cve-icon Vulnrichment

Updated: 2026-06-26T13:36:24.879Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T01:14:36Z

Links: CVE-2026-48928 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T01:30:09Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-289

    Authentication Bypass by Alternate Name