{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21716", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.575Z", "datePublished": "2026-03-30T19:07:28.538Z", "dateUpdated": "2026-03-31T14:27:23.323Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.538Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:27:06.373734Z", "id": "CVE-2026-21716", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:27:23.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "20.20.1", "versionType": "semver", "lessThanOrEqual": "20.20.1"}, {"status": "affected", "version": "22.22.1", "versionType": "semver", "lessThanOrEqual": "22.22.1"}, {"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.538Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21716", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:27:06.373734Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-31T14:27:19.730Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-21716", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:07:28.538Z", "dateReserved": "2026-01-04T15:00:06.575Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T19:07:28.538Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}, {"lang": "es", "value": "Una soluci\u00f3n incompleta para CVE-2024-36137 deja `FileHandle.chmod()` y `FileHandle.chown()` en la API de promesas sin las comprobaciones de permisos requeridas, mientras que sus equivalentes basados en callbacks (`fs.fchmod()`, `fs.fchown()`) fueron parcheados correctamente.\n\nComo resultado, el c\u00f3digo que se ejecuta bajo `--permission` con `--allow-fs-write` restringido a\u00fan puede usar m\u00e9todos `FileHandle` basados en promesas para modificar los permisos y la propiedad de los archivos en descriptores de archivo ya abiertos, eludiendo las restricciones de escritura previstas.\n\nEsta vulnerabilidad afecta a los procesos 20.x, 22.x, 24.x y 25.x que utilizan el Modelo de Permisos donde `--allow-fs-write` est\u00e1 restringido intencionalmente."}], "id": "CVE-2026-21716", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.873", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.", "id": "2453157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-279", "details": ["An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.", "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21716", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T19:07:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21716\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21716\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Low"}