Home

Description

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-18 | Updated 2026-06-18 | Assigner hackerone




LOW: 1.8CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-284 Improper Access Control - Generic

Product status

Default status
unaffected

22.22.3 (semver)
affected

24.16.0 (semver)
affected

26.3.0 (semver)
affected

References

nodejs.org/en/blog/vulnerability/june-2026-security-releases

hackerone.com/reports/3692858

cve.org (CVE-2026-48617)

nvd.nist.gov (CVE-2026-48617)

Download JSON