CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

The issue affects users of the Node.js permission model on version v25.

In the moment of this vulnerability, network permissions (--allow-net) are still in the experimental phase.

Database specific

{
    "cna_assigner": "hackerone",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21636.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "25.2.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type

GIT

Repo

https://github.com/nodejs/node

Events

Introduced

0b3a10d4c8ba5e15429287e725d22615be896e95

Fixed

00d6cd83927d6d5c8fe9d0cdd101daa6df4b1a15

Database specific

{
    "extracted_events": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.3.0"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"
}

Affected versions

v25.*

v25.0.0

v25.1.0

v25.2.0

v25.2.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-21636.json"