CVE-2026-21636 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-21636 PUBLISHED CVSS 8.600000381469727 HIGH

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

EPSS 0.02% · 6.0th percentile

Risk Scores

CVSS v4.0

8.600000381469727

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.02%

6.0th percentile

Affected Products

Vendor	Product	Versions
Bitnami	node-min	25.0.0, 25.0.0, 25.0.0
Bitnami	node	25.0.0, 25.0.0, 25.0.0
Bitnami	node-min	25.0.0
Bitnami	node	25.0.0

Timeline

CVE Published
Jan 21, 2026 EPSS Score
Jan 23, 2026 EPSS Score
Jan 25, 2026 EPSS Score
Jan 28, 2026 EPSS Score
Jan 30, 2026 EPSS Score
Feb 1, 2026 EPSS Score
Feb 3, 2026 EPSS Score
Feb 5, 2026 EPSS Score
Feb 7, 2026 EPSS Score
Feb 10, 2026 EPSS Score
Feb 12, 2026 EPSS Score

References

Open in Interactive Console →