CVE-2026-48934 - Vulnerability Details

- nodejs: Node.js: Certification validation bypass in TLS host verification

Description

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Published: 2026-06-26

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Node.js TLS host verification allows an attacker to bypass certificate validation, potentially enabling man‑in‑the‑middle attacks or impersonation of trusted servers. The vulnerability can compromise the confidentiality and integrity of data transmitted over TLS connections. It results in a moderate CVSS score of 4.3, indicating a non‑critical but still meaningful risk to applications relying on Node.js for secure communication.

Affected Systems

All supported release lines of Node.js are impacted, specifically Node.js 22, Node.js 24, and Node.js 26. The flaw exists in the core TLS implementation and applies to any application using the default certificate validation behavior.

Risk and Exploitability

The CVSS score reflects moderate severity. The EPSS score is below 1 %, indicating a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly confirmed exploits yet. vector requires an attacker to establish a TLS session with the vulnerable Node.js instance, possibly over a network connection, to exploit the host verification bypass. While the exact exploitation process is not described, the risk remains that an attacker could hijack traffic if the application trusts unverified certificates.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nodejs

node

unaffected

Version	Status	Constraints
`22.22.3`	affected	≤ 22.22.3
`24.16.0`	affected	≤ 24.16.0
`26.3.0`	affected	≤ 26.3.0

No data.

Vendor Product Confidence Versions

Nodejs

92%

Version	Status	Scheme	Platform
`22.22.3`	affected	semver	—
`24.16.0`	affected	semver	—
`26.3.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Node.js to the latest patched release for the relevant 22 or newer series.
If an immediate upgrade is not possible, temporarily disable host verification by setting `rejectUnauthorized` to false in TLS options or using the `NODE_TLS_REJECT_UNAUTHORIZED=0` the added risk.
Implement explicit certificate pinning or additional validation logic in the application so that the host name is checked against the server’s certificate after the TLS handshake.

Generated by OpenCVE AI on June 27, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00287.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
https://nvd.nist.gov/vuln/detail/CVE-2026-48934
https://www.cve.org/CVERecord?id=CVE-2026-48934

History

Sat, 27 Jun 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-297

Sat, 27 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Node.js TLS Host Verification Bypass in Node.js 22, 24, and 26	nodejs: Node.js: Certification validation bypass in TLS host verification
Weaknesses		CWE-295
References		https://nvd.nist.gov/vuln/detail/CVE-2026-48934 https://www.cve.org/CVERecord?id=CVE-2026-48934
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 26 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nodejs Nodejs nodejs
Vendors & Products		Nodejs Nodejs nodejs

Fri, 26 Jun 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Node.js TLS Host Verification Bypass in Node.js 22, 24, and 26
Weaknesses		CWE-297

Fri, 26 Jun 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
References		https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
Metrics		cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Nodejs Nodejs

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-06-26T01:14:36.894Z

Updated: 2026-06-26T13:36:02.850Z

Reserved: 2026-05-26T15:00:06.427Z

Link: CVE-2026-48934

Vulnrichment

Updated: 2026-06-26T13:35:58.562Z

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-26T01:14:36Z

Links: CVE-2026-48934 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-27T03:30:10Z

Weaknesses

CWE-295
Improper Certificate Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object