CVE-2026-48618 | A flaw in Node.js TLS hostname handling can cause Node.js un… | CVSS 7.7 HIGH

Description

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Metadata

CVE ID: CVE-2026-48618
State: PUBLISHED
Assigner: hackerone
Reserved: 2026-05-22 15:00 UTC
Published: 2026-06-26 01:14 UTC
Last updated: 2026-06-26 15:10 UTC
Primary CWE: CWE-176
CWE-176 Improper Handling of Unicode Encoding
Vendor / Product: nodejs / node
Sources: cve.org · NVD

Severity & Metrics

7.7 HIGH CVSS 3.0

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
nodejs	node	—	22.22.3 ≤ 22.22.3, 24.16.0 ≤ 24.16.0, 26.3.0 ≤ 26.3.0

Weakness (CWE)

CWE	Source	Description
CWE-176	cna	CWE-176 Improper Handling of Unicode Encoding

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.7	HIGH	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (1)

https://nodejs.org/en/blog/vulnerability/june-2026-security-releases