CVE-2026-48928
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
An inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
Risk Assessment
An attacker could exploit this vulnerability to bypass mutual TLS authentication mechanisms, potentially leading to unauthorized access to protected resources or interception of communications.
Recommendation
It is recommended to immediately update Node.js to the latest patched version for the used release line (22.x, 24.x, or 26.x) after the corresponding security patch is published.
Original NVD description (English source)
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

