Main Vulnerability Database Vulnerabilities #VU124548

#VU124548 Improper Access Control in Node.js - CVE-2026-21715

Published: March 25, 2026

Vulnerability identifier: #VU124548

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-21715

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a local user to disclose file existence and resolve symlinks.

The vulnerability exists due to improper access control in fs.realpathSync.native() within the Node.js Permission Model when accessing filesystem paths. A local user can run code under --permission with restricted --allow-fs-read to use fs.realpathSync.native() and determine file existence, resolve symlink targets, and enumerate paths outside permitted directories.

This bypass affects only environments using the Permission Model with intentionally restricted filesystem read permissions.

Remediation

Install security update from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

#VU124548 Improper Access Control in Node.js - CVE-2026-21715

Description

Remediation

External links

Please verify you're human