Main Vulnerability Database Vulnerabilities #VU124543

#VU124543 Improper Access Control in Node.js - CVE-2026-21711

Published: March 25, 2026

Vulnerability identifier: #VU124543

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-21711

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a local user to bypass permission restrictions.

The vulnerability exists due to improper access control in Unix Domain Socket (UDS) server operations in the Node.js Permission Model when binding or listening on UDS endpoints. A local user can run code with --permission but without --allow-net to create and expose local IPC endpoints, bypassing intended network restrictions.

This issue affects only environments using the experimental Permission Model with --allow-net intentionally omitted.

Remediation

Install security update from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

#VU124543 Improper Access Control in Node.js - CVE-2026-21711

Description

Remediation

External links

Please verify you're human