Vulnerability DatabaseCVE-2026-21716
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-21716
Published:March 30, 2026
Updated:April 23, 2026
An incomplete fix for CVE-2024-36137 leaves "FileHandle.chmod()" and "FileHandle.chown()" in the promises API without the required permission checks, while their callback-based equivalents ("fs.fchmod()", "fs.fchown()") were correctly patched. As a result, code running under "--permission" with restricted "--allow-fs-write" can still use promise-based "FileHandle" methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects 20.x, 22.x, 24.x, and 25.x processes using the Permission Model where "--allow-fs-write" is intentionally restricted.
Affected Packages
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v24.0.0 <v24.14.1
Fix Suggestion:
Update to version v24.14.1
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v25.0.0 <v25.8.2
Fix Suggestion:
Update to version v25.8.2
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v20.0.0 <v20.20.2
Fix Suggestion:
Update to version v20.20.2
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v22.0.0 <v22.22.2
Fix Suggestion:
Update to version v22.22.2
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (1)
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
Do you need more information?
Contact Us
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Missing Authorization
CWE-862