CVE-2026-21636
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-20

Last updated on: 2026-01-30

Assigner: HackerOne

Description
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21636
EUVD
EUVD-2026-3334
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nodejs node.js From 25.0.0 (inc) to 25.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in Node.js's permission model that allows Unix Domain Socket (UDS) connections to bypass network restrictions when the '--permission' flag is enabled. Even if the '--allow-net' permission is not granted, attacker-controlled inputs like URLs or socketPath options can connect to arbitrary local sockets using net, tls, or undici/fetch modules. This breaks the intended security boundary of the permission model.

Impact Analysis

The vulnerability can allow attackers to access privileged local services, which may lead to privilege escalation, exposure of sensitive data, or local code execution on the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart