CVE-2026-49983
MediumCVSS 5.2Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In Deno prior to 2.8.1, the process.loadEnvFile() function does not honor environment permission restrictions (--deny-env). It allows writing variables from a .env file into the process even when environment access is denied.
Risk Assessment
An attacker with write access or control over a .env file can bypass --deny-env restrictions and inject arbitrary environment variables, potentially leading to privilege escalation or data leakage.
Recommendation
Update Deno to version 2.8.1 or later immediately. Until updated, avoid using process.loadEnvFile() in environments with restricted environment variable access.
Original NVD description (English source)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile() (the Node-compatible API for loading variables from a .env file) does not honor this. It only checks that the program has read permission for the dotenv file, then writes every key in that file into the process environment — even when env access is denied. In effect, --allow-read plus a writable or attacker-controlled .env file is enough to defeat --deny-env. This vulnerability is fixed in 2.8.1.

