Low severity3.3NVD Advisory· Published Mar 30, 2026· Updated Apr 1, 2026

CVE-2026-21715

Description

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native() without the required read permission checks, while all comparable filesystem functions correctly enforce them.

As a result, code running under --permission with restricted --allow-fs-read can still use fs.realpathSync.native() to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x processes using the Permission Model where --allow-fs-read is intentionally restricted.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

nodejs.org/en/blog/vulnerability/march-2026-security-releasesnvd

News mentions

No linked articles in our index yet.

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000