Description
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.

This vulnerability affects one supported release line: **Node.js 26**.
Published: 2026-06-26
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Node.js Permission API allows an application to spin up a new server via a Unix domain socket even when it is run without the --allow-net permission. This exposes a local service that can be accessed by other processes on the same host, potentially enabling further abuse or data exfiltration if the service processes sensitive input.

Affected Systems

Node.js 26, the actively supported release line for the Node.js runtime. Any installation of this version that relies on the Permission API and runs with restricted network permissions may be vulnerable.

Risk and Exploitability

The CVSS score of 3.3 classifies the vulnerability as low severity. The EPSS score of 0.00149 (below 1%) indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local; an attacker must already have some level of host access to trigger the flaw. While the risk of widespread impact is low, the presence of a local unauthorized service can still be leveraged for privilege escalation or lateral movement within the host environment.

Generated by OpenCVE AI on June 27, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to the latest 26.x patch that incorporates the fix for the Permission API issue
  • Confirm that the upgraded Node.js installation requires the --allow-net flag for any network operations
  • Use application code reviews and runtime checks to ensure that Permission API calls are performed only by trusted components

Generated by OpenCVE AI on June 27, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title nodejs: Node.js: Local server can be started without network permission via Permission API flaw
Weaknesses CWE-648
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Low


Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-26T13:35:27.884Z

Reserved: 2026-05-26T15:00:06.427Z

Link: CVE-2026-48936

cve-icon Vulnrichment

Updated: 2026-06-26T13:35:24.028Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-26T01:14:36Z

Links: CVE-2026-48936 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:00:10Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-648

    Incorrect Use of Privileged APIs