CVE-2026-48928

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*

History

26 Jun 2026, 20:19

Type Values Removed Values Added
References () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - Patch, Vendor Advisory
CVSS v2 : unknown
v3 : 4.2
v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*
First Time Nodejs
Nodejs node.js

26 Jun 2026, 02:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 02:16

Updated : 2026-06-26 20:19


NVD link : CVE-2026-48928

Mitre link : CVE-2026-48928

CVE.ORG link : CVE-2026-48928


JSON object : View

Products Affected

nodejs

  • node.js
CWE
CWE-284

Improper Access Control