What is CVE-2026-21636?

A critical vulnerability in Node.js allows Unix Domain Socket connections to bypass network restrictions, potentially leading to privilege escalation. Organizations using Node.js must address this issue immediately to prevent unauthorized access.

What is the severity of CVE-2026-21636?

CVE-2026-21636 has a severity rating of CRITICAL with a CVSS base score of 10.

CVE-2026-21636 | Critical Vulnerability in Node.js

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

Risk to organizations includes unauthorized access to local services, which may result in data breaches or other severe impacts. Given the critical severity of this vulnerability, organizations should prioritize patching immediately.

As of now, there are no known public exploits associated with this vulnerability, but the exploitability is considered critical. Organizations should remain vigilant and ensure their systems are patched.

The urgency for defenders cannot be overstated. Immediate action is required to mitigate potential risks associated with this vulnerability.

Vulnerability Details

CVE-2026-21636 is classified as a critical vulnerability with a CVSS score of 10. The flaw allows UDS connections to bypass network restrictions under certain configurations, violating the intended security measures of the Node.js permission model.

The affected product is Node.js, specifically version v25. The publication date for this vulnerability is January 20, 2026. The vulnerability is classified under CWE-284, indicating improper access control.

Technical Analysis

The root cause of this vulnerability lies in the flawed permission model of Node.js, which fails to enforce proper access controls on UDS connections. The attack vector is network-based, with a low attack complexity, and no privileges are required to exploit the flaw. User interaction is not needed, making it easier for attackers to exploit this vulnerability.

The impacts of this vulnerability are severe, with high impacts on confidentiality, integrity, and availability, as it may allow unauthorized access to sensitive local services.

Risk & Impact Analysis

Real-world deployment risk is substantial, as this vulnerability can lead to unauthorized access and control over privileged local services. Organizations must understand the blast radius potential, as compromised local services can affect overall system integrity and confidentiality.

Given the critical CVSS score of 10, organizations should prioritize this vulnerability in their patching cycles. The urgency for remediation is high, reflecting the severe risks associated with not addressing this vulnerability.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of Node.js prior to version 25.3.0, specifically starting from version 25.0.0.

Mitigation & Remediation

Organizations must patch their Node.js installations to version 25.3.0 or later to mitigate this vulnerability. For those unable to update immediately, consider disabling the `--permission` flag if it is not critical for your applications. Additionally, strict network controls should be implemented to limit access to local services.

For ongoing security validation, organizations should look into continuous security testing which can help identify any new vulnerabilities that may arise.

Detection Guidance

Organizations should monitor for unusual network activities that may indicate exploitation attempts, such as unexpected UDS connections. Additionally, logging should be enabled for all socket connections to ensure any unauthorized access can be traced.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-21636 lies in its potential to expose critical local services to unauthorized access. As organizations increasingly rely on Node.js for their applications, the need for robust permission models becomes paramount.

This vulnerability highlights the importance of continuous security assessments, as even experimental features can introduce significant risks. Security teams should consider reviewing their Node.js configurations and ensuring they understand the implications of enabling experimental features.

For further insights into vulnerability management, organizations can refer to vulnerability management programs and their importance in maintaining system security.

Additionally, organizations should engage in penetration testing to assess their defenses against emerging threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-21636: Critical Vulnerability in Node.js