CVE Catalog

CVE-2026-48935

LowCVSS 3.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

A flaw in Node.js Permission API allows modification of file metadata even on a path set as read-only with the `--allow-fs-read` flag. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Risk Assessment

The organization may lose control over the integrity of files that should be protected from writes, potentially leading to unauthorized metadata changes and security breaches.

Recommendation

Immediately update Node.js to the latest patched version for the used release line (22, 24, or 26) and monitor official security advisories.

Original NVD description (English source)

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS