Main Vulnerability Database Vulnerabilities #VU124543

Improper Access Control in Node.js - CVE-2026-21711

Published: March 25, 2026

Vulnerability identifier: #VU124543

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-21711

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Node.js Foundation

Affected software:
Node.js

Detailed vulnerability description

The vulnerability allows a local user to bypass permission restrictions.

The vulnerability exists due to improper access control in Unix Domain Socket (UDS) server operations in the Node.js Permission Model when binding or listening on UDS endpoints. A local user can run code with --permission but without --allow-net to create and expose local IPC endpoints, bypassing intended network restrictions.

This issue affects only environments using the experimental Permission Model with --allow-net intentionally omitted.

How to mitigate CVE-2026-21711

Install security update from vendor's website.

Sources

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Improper Access Control in Node.js - CVE-2026-21711

Detailed vulnerability description

How to mitigate CVE-2026-21711

Sources

Please verify you're human