CVE-2026-48618_CVE-2026-48618

7.7 / 10

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Basic Information

ID CVE-2026-48618

Source hackerone

Published Jun 26, 2026 at 01:14

Affected Product

Vendor nodejs

Product node

Version 22.22.3

Affected Versions nodejs node 22.22.3
nodejs node 24.16.0
nodejs node 26.3.0

CWE Classification

CWE-176

References

nodejs.org /en/blog/vulnerability/june-2026-security-releases

{
    "lastseen": "",
    "description": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\r\n\r\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
    "published": "2026-06-26T01:14:36.868Z",
    "modified": "2026-06-26T01:14:36.868Z",
    "type": "cve",
    "title": "CVE-2026-48618",
    "source": "hackerone",
    "references": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
    "id": "CVE-2026-48618",
    "bulletinFamily": "",
    "cwe": [
        "CWE-176"
    ],
    "cvelist": null,
    "sourceData": "nodejs node 22.22.3\nnodejs node 24.16.0\nnodejs node 26.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "node",
    "version": "22.22.3",
    "vendor": "nodejs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}