Node.js Trust-Policy Bypass Vulnerability in Multi-Context mTLS Setups
CVE-2026-48928

4.2MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-48928?

An inconsistency in hostname matching within Node.js can lead to a trust-policy bypass in multi-context mTLS setups. This flaw poses a significant risk by enabling unauthorized trust relationships. The issue impacts all supported release lines of Node.js (22, 24, and 26), making it critical for users to review their configurations and apply appropriate mitigations to ensure secure communication.

Affected Version(s)

node 22.22.3

node 24.16.0

node 26.3.0

References

https://nodejs.org/en/blog/vulnerability/june-2026-securi...

CVSS V3.0

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48928 Data

JSON

Nodejs

What is CVE-2026-48928?

Affected Version(s)

References

CVSS V3.0

Timeline