CVE-2026-48928

CVSS Details

Description

An inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. Uppercase SNI context matching is performed case-sensitively, so a client presenting an uppercase (or mixed-case) server name can be routed to a TLS context other than the one intended by the trust policy. In multi-context mutual TLS deployments this can lead to an authorization bypass, where a connection is matched against unintended certificate validation rules. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.