Main Vulnerability Database Vulnerabilities #VU124548

Improper Access Control in Node.js - CVE-2026-21715

Published: March 25, 2026

Vulnerability identifier: #VU124548

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-21715

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Node.js Foundation

Affected software:
Node.js

Detailed vulnerability description

The vulnerability allows a local user to disclose file existence and resolve symlinks.

The vulnerability exists due to improper access control in fs.realpathSync.native() within the Node.js Permission Model when accessing filesystem paths. A local user can run code under --permission with restricted --allow-fs-read to use fs.realpathSync.native() and determine file existence, resolve symlink targets, and enumerate paths outside permitted directories.

This bypass affects only environments using the Permission Model with intentionally restricted filesystem read permissions.

How to mitigate CVE-2026-21715

Install security update from vendor's website.

Sources

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Improper Access Control in Node.js - CVE-2026-21715

Detailed vulnerability description

How to mitigate CVE-2026-21715

Sources

Please verify you're human