CVE-2026-48618 | THREATINT

Description

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-26 | Updated 2026-06-26 | Assigner hackerone

HIGH: 7.7CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-176 Improper Handling of Unicode Encoding

Product status

Default status

unaffected

22.22.3 (semver)

affected

24.16.0 (semver)

affected

26.3.0 (semver)

affected

References

nodejs.org/en/blog/vulnerability/june-2026-security-releases

cve.org (CVE-2026-48618)

nvd.nist.gov (CVE-2026-48618)

Download JSON