CVE-2026-21711

| EUVD-2026-17172 MEDIUM
2026-03-30 hackerone
5.3
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 19:30 vuln.today
EUVD ID Assigned
Mar 30, 2026 - 19:30 euvd
EUVD-2026-17172
CVE Published
Mar 30, 2026 - 19:07 nvd
MEDIUM 5.3

Tags

Node.js Authentication Bypass Redhat

Description

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.

Analysis

Unix Domain Socket operations in Node.js 25.x bypass permission model enforcement, allowing local processes to create IPC endpoints and communicate with other processes when run with --permission flag but without --allow-net. An authenticated local attacker can establish inter-process communication channels that circumvent the intended network isolation boundary, resulting in information disclosure and potential privilege escalation within the same host. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Vendor Status

Ubuntu

Priority: Medium
nodejs
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream not-affected debian: Vulnerable code not present

Debian

nodejs
Release Status Fixed Version Urgency
bullseye fixed 12.22.12~dfsg-1~deb11u4 -
bullseye (security) fixed 12.22.12~dfsg-1~deb11u7 -
bookworm, bookworm (security) fixed 18.20.4+dfsg-1~deb12u1 -
trixie fixed 20.19.2+dfsg-1 -
trixie (security) fixed 20.19.2+dfsg-1+deb13u2 -
forky fixed 22.22.1+dfsg+~cs22.19.15-1 -
sid fixed 22.22.2+dfsg+~cs22.19.15-1 -
(unstable) not-affected - -

Share

CVE-2026-21711 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy