VDB

CVE-2026-48928

CVE-2026-48928 PUBLISHED CVSS 4.2 MEDIUM

Reported by hackerone · Published June 26, 2026

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Risk Scores

CVSS 3.0
4.2
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersions
nodejsnode22.22.3, 24.16.0, 26.3.0
nodejsnode22.22.3, 24.16.0, 26.3.0
alpinenodejs0, 0, 0

Timeline

  • CVE Published
  • Jun 25, 2026 PoC Published
  • Jul 5, 2026 EPSS Score
  • Jul 6, 2026 Distribution Patch
  • Jul 6, 2026 Security Advisory
  • Jul 6, 2026 Distribution Patch
  • Jul 6, 2026 Security Advisory
  • Jul 7, 2026 Distribution Patch
  • Jul 7, 2026 Security Advisory
  • Jul 7, 2026 Distribution Patch
  • Jul 7, 2026 Security Advisory
  • Jul 7, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›