What is CVE-2026-21716?

CVE-2026-21716 is a low-severity vulnerability in Nodejs Node. CVSS score: 3.3/10. Published 2026-03-30.

How severe is CVE-2026-21716?

Low severity. CVSS v3 base score is 3.3 out of 10.

Vulnerability in Nodejs Node

CVE-2026-21716

An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patc…

EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.3 (Low). Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Affected products

Nodejs Node — versions 20.20.1, 22.22.1, 24.14.0

References

nodejs.org/en/blog/vulnerability/march-2026-security-releases

Frequently asked questions

What is CVE-2026-21716?: CVE-2026-21716 is a low-severity vulnerability in Nodejs Node. CVSS score: 3.3/10. Published 2026-03-30.
How severe is CVE-2026-21716?: Low severity. CVSS v3 base score is 3.3 out of 10.