CVE-2026-48935
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
A flaw in Node.js Permission API allows modification of file metadata even on a path set as read-only with the `--allow-fs-read` flag. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
Risk Assessment
The organization may lose control over the integrity of files that should be protected from writes, potentially leading to unauthorized metadata changes and security breaches.
Recommendation
Immediately update Node.js to the latest patched version for the used release line (22, 24, or 26) and monitor official security advisories.
Original NVD description (English source)
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

