CVE-2026-21636
Published: 20 January 2026
Summary
CVE-2026-21636 is a critical-severity Improper Access Control (CWE-284) vulnerability in Nodejs Node.Js. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the Node.js permission model flaw by identifying, reporting, and applying vendor patches to prevent UDS bypass of network restrictions.
Enforces approved information flow control policies to block unauthorized connections to arbitrary local sockets via net, tls, or undici/fetch modules.
Mandates enforcement of access authorizations to maintain the intended security boundary of the Node.js permission model against UDS bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables remote exploitation of a public-facing Node.js application to bypass permission boundaries for unauthorized local socket access, resulting in privilege escalation and code execution.
NVD Description
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls,…
more
or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.
Deeper analysisAI
CVE-2026-21636 is a flaw in Node.js's permission model that allows Unix Domain Socket (UDS) connections to bypass network restrictions when the `--permission` flag is enabled. This vulnerability affects users of the Node.js permission model on version v25. Even without the `--allow-net` option—which remains in the experimental phase—attacker-controlled inputs, such as URLs or socketPath options, can connect to arbitrary local sockets via the net, tls, or undici/fetch modules. This breaks the intended security boundary of the permission model.
The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and results in a scope change (S:C). Attackers can achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), enabling access to privileged local services. Potential outcomes include privilege escalation, data exposure, or local code execution, as reflected in the CVSS v3.1 base score of 10.0.
Mitigation details are provided in the Node.js December 2025 security releases advisory at https://nodejs.org/en/blog/vulnerability/december-2025-security-releases. The issue is associated with CWE-284 (Improper Access Control).
Details
- CWE(s)