CVE-2026-48928: CWE-284 Improper Access Control - Generic in nodejs node
CVE-2026-48928 is a medium severity vulnerability in Node.js affecting versions 22.22.3, 24.16.0, and 26.3.0. It involves an inconsistency in hostname matching that can lead to a trust-policy bypass in multi-context mutual TLS (mTLS) setups. The vulnerability relates to improper access control (CWE-284) and could allow limited unauthorized access. No official patch or remediation guidance is currently provided by the vendor.
AI Analysis
Technical Summary
This vulnerability arises from an inconsistency in how Node.js performs hostname matching in multi-context mTLS configurations. This inconsistency can cause a bypass of trust policies, potentially allowing an attacker with limited privileges to circumvent intended access controls. The issue affects specific Node.js versions 22.22.3, 24.16.0, and 26.3.0. The CVSS 3.0 base score is 4.2, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and low impact on confidentiality and integrity without availability impact. No known exploits are reported in the wild, and no official remediation or patch has been published yet.
Potential Impact
The vulnerability could allow an attacker to bypass trust policies in multi-context mTLS setups, potentially leading to unauthorized access or privilege escalation within affected Node.js environments. The impact on confidentiality and integrity is low, and availability is not affected. Exploitation complexity is high, and the attacker requires low privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should review their multi-context mTLS configurations and consider additional access control measures to mitigate potential risks. Monitor official Node.js security advisories for updates.
CVE-2026-48928: CWE-284 Improper Access Control - Generic in nodejs node
Description
CVE-2026-48928 is a medium severity vulnerability in Node.js affecting versions 22.22.3, 24.16.0, and 26.3.0. It involves an inconsistency in hostname matching that can lead to a trust-policy bypass in multi-context mutual TLS (mTLS) setups. The vulnerability relates to improper access control (CWE-284) and could allow limited unauthorized access. No official patch or remediation guidance is currently provided by the vendor.
CVSS v3.0
Score 4.2medium
Affected software
pkg:github/nodejs/nodeRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from an inconsistency in how Node.js performs hostname matching in multi-context mTLS configurations. This inconsistency can cause a bypass of trust policies, potentially allowing an attacker with limited privileges to circumvent intended access controls. The issue affects specific Node.js versions 22.22.3, 24.16.0, and 26.3.0. The CVSS 3.0 base score is 4.2, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and low impact on confidentiality and integrity without availability impact. No known exploits are reported in the wild, and no official remediation or patch has been published yet.
Potential Impact
The vulnerability could allow an attacker to bypass trust policies in multi-context mTLS setups, potentially leading to unauthorized access or privilege escalation within affected Node.js environments. The impact on confidentiality and integrity is low, and availability is not affected. Exploitation complexity is high, and the attacker requires low privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should review their multi-context mTLS configurations and consider additional access control measures to mitigate potential risks. Monitor official Node.js security advisories for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- hackerone
- Date Reserved
- 2026-05-26T15:00:06.427Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3dd65f4853345fc1fa2e28
Added to database: 06/26/2026, 01:31:11 UTC
Last enriched: 06/26/2026, 01:47:11 UTC
Last updated: 06/26/2026, 01:47:11 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.