Node.js Permission Model Bypass via process.report.writeReport() (CVE-2026-48617) Advisory

Vulnerability Overview Vulnerability Name: Permission Model Bypass via Path Misvalidation Vulnerability Description: A flaw in Node.js's permission model execution allows bypass via misvalidation of the path. This may lead to confidentiality impacts or bypass of expected security boundaries under affected configurations. Severity: Low (1.8) Status: Resolved Affected Versions Affected Versions: All supported release versions, including Node.js 22, Node.js 24, and Node.js 26. Remediation Remediation Status: Resolved CVE ID: CVE-2026-48617 Weakness Type: Improper Access Control - Generic Timeline Report Submitted: April 24, 2026, 8:43 am UTC Status Changes: - April 25, 2026, 10:07 am UTC: Status changed to "Classified" - April 25, 2026, 10:08 am UTC: Severity updated from "High" to "Low" - April 26, 2026, 1:13 am UTC: Severity updated from "Low" to "Low (1.8)" - April 26, 2026, 1:13 am UTC: CVE reference updated to CVE-2026-48617 - April 26, 2026, 1:13 am UTC: Report closed, status changed to "Resolved" - April 26, 2026, 1:13 am UTC: Disclosure of this report requested - April 26, 2026, 1:13 am UTC: Disclosure of this report agreed - April 26, 2026, 1:13 am UTC: Report disclosed Additional Information Disclosure Date: June 18, 2026, 2:48 pm UTC Reward: Hidden Retry: Hidden Total Reward: Hidden Account Details: None POC Code or Exploit Code No specific POC code or exploit code is included in the page.

Goal Reached Thanks to every supporter — we hit 100%!

Node.js Permission Model Bypass via process.report.writeReport() (CVE-2026-48617) Advisory