Patch Node.js now: June security releases fix TLS, WebCrypto, HTTP/2, and permission flaws

Q: What are the highest-severity Node.js June 2026 issues?

The Node.js advisory marks CVE-2026-48933 and CVE-2026-48618 as high severity.

Q: Does this matter for build systems and AI agents?

Yes. Many automation stacks, CLIs, and agent services run on Node.js even when Node is not the user-facing product.

Official Node.js Open Graph image for the June 2026 security release.Node.js Blog

Tools & AppsJun 28, 2026

Node.js published June 2026 security releases for 22.x, 24.x, and 26.x, including two high-severity issues and several medium and low flaws.

4 min3 sources2 images

Node.js has published security releases for the supported 22.x, 24.x, and 26.x lines. Confidence level: confirmed. The June 18, 2026 release fixes two high-severity issues plus additional medium and low flaws across TLS hostname handling, WebCrypto, proxy errors, HTTP/2, and the Permission Model.

Official Node.js Open Graph image for the June 2026 security release. — Source: Node.js Blog

What changed

The Node.js project released updates for Node.js 22, 24, and 26 on June 18, 2026. The advisory lists patched releases as v22.23.0, v24.17.0, and v26.3.1, and says end-of-life versions should be treated as affected when a security release occurs.

The two high-severity issues are CVE-2026-48933, a WebCrypto AES integer overflow that can crash a process, and CVE-2026-48618, a TLS hostname normalization mismatch involving unicode dot separators that can bypass wildcard-depth authentication under affected configurations.

Why this is early

The primary source is the official Node.js security post. OpenCVE and HKCERT provide independent security-tracking context, including affected supported lines, CVE metadata, and impact descriptions. This is not a rumor or launch listing; it is a patch decision item for anyone running supported Node.js server, worker, CLI, or agent infrastructure.

The open question is not whether to patch. It is how quickly you can move production and CI images without breaking native dependencies, OpenSSL-sensitive integrations, or runtime assumptions around TLS and permissions.

Key takeaways

Upgrade Node.js 22, 24, and 26 deployments to the patched releases listed by the Node.js project.
Prioritize internet-facing services, TLS-heavy clients, HTTP/2 clients, and systems that expose WebCrypto-driven operations to untrusted input.
Audit logs and diagnostics for proxy credentials if affected proxy URLs were embedded in runtime errors.
Treat Node.js 20 and older as outside the normal supported-lane conversation; the advisory warns that end-of-life versions are always affected when security releases occur.
Rebuild containers and CI base images, not just local developer machines.

Area	CVE or issue	Severity in Node.js advisory	Practical check
WebCrypto	CVE-2026-48933	High	Look for large untrusted encryption inputs and upgrade runtime images
TLS hostname handling	CVE-2026-48618	High	Review wildcard cert validation assumptions and patched runtime rollout
Proxy errors	CVE-2026-48615	Medium	Check whether proxy credentials may have reached logs
HTTP/2	CVE-2026-48619 / CVE-2026-48937	Medium	Patch clients and servers using HTTP/2 under untrusted peers
Permission Model	CVE-2026-48617 / CVE-2026-48935 / CVE-2026-48936	Low	Retest sandbox and filesystem/network restrictions

Availability and access

The patched releases are available now from the Node.js project. Teams should update package managers, Docker base images, CI runners, server images, and local development tools that pin major versions. If your production baseline is an LTS line, check the exact patched version rather than relying on a loose node:latest tag.

If you use managed hosting, verify the provider's runtime version. Serverless, edge, container, and build platforms may update on different schedules, and a patched local machine does not prove that production workloads have moved.

Practical LinkLoot angle

This is the kind of security release that affects automation stacks quietly. Node.js runs build tools, API servers, bots, CLIs, webhooks, and AI-agent glue code. A missed runtime update can leave a polished app with an old TLS or HTTP/2 edge case underneath.

For agent and automation builders, pair this patch with dependency pin review and base-image rebuilds. LinkLoot's AI workflow automation guide is useful here because many automation systems depend on Node.js even when the visible product is an AI workflow.

What to verify before you act

Confirm every runtime reports v22.23.0, v24.17.0, v26.3.1, or a later patched build.
Rebuild container images and CI caches; do not assume package lockfile updates replace the runtime.
Check whether your app uses WebCrypto, TLS client validation, HTTP/2 clients, proxy URLs, or the Node.js Permission Model.
Review provider release notes for managed runtimes before assuming production is patched.
For regulated environments, retain the Node.js advisory and CVE records as change evidence.

Source check

Confirmed by:

The official Node.js June 18, 2026 security release advisory.
OpenCVE's CVE-2026-48618 record, which lists the affected Node.js lines and CVSS context.

Independent context:

HKCERT's June 22, 2026 bulletin, which summarizes the Node.js multiple-vulnerability impact as denial of service, data manipulation, security restriction bypass, spoofing, and sensitive information disclosure risk.

FAQ

Which Node.js versions should I update?

Update supported 22.x, 24.x, and 26.x deployments to the patched versions listed by the Node.js project or later patched builds.

What are the highest-severity Node.js June 2026 issues?

Does this matter for build systems and AI agents?

Sources & links

References, demos, and supporting links.

Node.js security releasenodejs.orgPrimary OpenCVE record for CVE-2026-48618app.opencve.io HKCERT Node.js multiple vulnerabilities bulletinhkcert.org