CVE-2026-49983
Undergoing Analysis Undergoing Analysis - In Progress
Environment Variable Injection in Deno Runtime

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile() (the Node-compatible API for loading variables from a .env file) does not honor this. It only checks that the program has read permission for the dotenv file, then writes every key in that file into the process environment β€” even when env access is denied. In effect, --allow-read plus a writable or attacker-controlled .env file is enough to defeat --deny-env. This vulnerability is fixed in 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-49983
EUVD
EUVD-2026-38543
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
denoland deno to 2.8.1 (exc)
denoland deno 2.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

In Deno versions prior to 2.8.1, the function process.loadEnvFile() bypasses the environment permission checks. Although environment access is supposed to be controlled by the env permission (which can be denied with --deny-env or restricted with --allow-env), process.loadEnvFile() only verifies that the program has read permission for the .env file. It then writes all the variables from that file into the process environment (process.env), even if env access is denied.

This means that if an attacker has --allow-read permission and can control or write to the .env file, they can effectively override the --deny-env restriction and modify environment variables, defeating Deno's intended permission model.

Impact Analysis

This vulnerability allows an attacker with limited permissions (--allow-read) to bypass environment access restrictions and modify environment variables by controlling a .env file. This can lead to unauthorized changes in the process environment, potentially affecting application behavior, leaking sensitive information, or escalating privileges within the application context.

Since the attack complexity is low and only minimal privileges are required, it poses a moderate risk to applications relying on Deno's permission model for security.

Detection Guidance

This vulnerability can be detected by checking if your Deno environment is running a version prior to 2.8.1 and if the process.loadEnvFile() function is being used in your code. Additionally, verify if the program is running with --allow-read permission and if there is a writable or attacker-controlled .env file accessible.

You can run commands to check the Deno version and inspect permissions and environment file usage, for example:

  • Check Deno version: deno --version
  • Search for usage of process.loadEnvFile() in your codebase: grep -r 'process.loadEnvFile' ./
  • Check if the program is run with --allow-read or --deny-env flags by reviewing startup scripts or process arguments.
  • Inspect the permissions and contents of any .env files that the application may read: ls -l .env; cat .env
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Deno to version 2.8.1 or later where the issue is fixed.

Additionally, restrict read permissions to .env files to prevent attacker-controlled modifications, and avoid relying solely on --deny-env to protect environment variables if process.loadEnvFile() is used.

If upgrading is not immediately possible, avoid using process.loadEnvFile() or ensure that the .env file is not writable or controlled by untrusted users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart