CVE Catalog

CVE-2026-48928

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

An inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Risk Assessment

An attacker could exploit this vulnerability to bypass mutual TLS authentication mechanisms, potentially leading to unauthorized access to protected resources or interception of communications.

Recommendation

It is recommended to immediately update Node.js to the latest patched version for the used release line (22.x, 24.x, or 26.x) after the corresponding security patch is published.

Original NVD description (English source)

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS