Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

Node.js Permission Model network restriction bypass via Unix domain socket server

IdentifiersCVE-2026-48936CWE-284

CVE-2026-48936 is a low-severity vulnerability in the Node.js Permission Model affecting the 26.x release line. According to the provided content, the flaw allows a Unix domain socket server to be started under specific conditions even without the --allow-net permission, resulting in a bypass of Node.js network permission restrictions. The issue is described as a Permission API / Permission Model bypass in which Unix domain socket server behavior is not correctly constrained by the --permission / --allow-net network access policy.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows bypass of the intended Node.js network access restriction enforced by the Permission Model. An attacker who can execute code within a constrained Node.js process may start a local server over a Unix domain socket despite the absence of --allow-net, undermining the security boundary intended to prevent network-listening operations. This can weaken sandboxing assumptions and permit unauthorized local IPC exposure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid relying solely on the Node.js Permission Model to block local Unix domain socket server creation in affected 26.x deployments. Restrict execution of untrusted code, disable or avoid use of the Permission Model in security-boundary scenarios where local IPC creation would be sensitive, and apply OS-level controls such as filesystem permission restrictions, container isolation, MAC policies, and process sandboxing to prevent unauthorized socket creation and access.

Remediation

Patch, then assume compromise.

Upgrade Node.js to a fixed release that includes the June 18, 2026 security updates for the affected line. The provided content states that CVE-2026-48936 affects Node.js 26.x and is fixed in Node.js v26.3.1; one source in the content also references patched version v26.3.2. Based on the supplied material, administrators should upgrade to the latest available patched 26.x release and avoid unsupported/end-of-life versions.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48936
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48936
MITRE CWE · CWE-284
cwe.mitre.org