PT-2026-52060 · Openjs Foundation · Node.Js

Published

2026-06-23

Updated

2026-06-26

CVE-2026-48928

CVSS v3.1

4.2

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 22.x and earlier Node.js versions 24.x and earlier Node.js versions 26.0.0 through 26.3.0

Description An inconsistency in hostname matching can lead to a trust-policy bypass within multi-context mTLS (mutual Transport Layer Security) setups. mTLS is a process where both the client and server authenticate each other using digital certificates.

Recommendations Update Node.js 22 to the latest patched version. Update Node.js 24 to the latest patched version. Update Node.js 26 to version 26.3.1-1.1 or later.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2026-48928

OPENSUSE-SU-2026:11110-1

OPENSUSE-SU-2026:11121-1

SUSE-SU-2026:2633-1

Affected Products

Node.Js

PT-2026-52060 · Openjs Foundation · Node.Js

CVE-2026-48928

Weakness Enumeration

Related Identifiers

Affected Products

References · 76