High
resolved
resolved
Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS
Bug reported by mbarbs was disclosed at April 23, 2026, 10:21 pm |
A flaw was discovered in the Node.js TLS error handling that left SNICallback invocations unprotected against synchronous exceptions. This represented an incomplete fix of the prior CVE-2026-21637 vulnerability, where the equivalent ALPN and PSK callbacks were already addressed. The issue could lead to a Remote Denial of Service when an SNICallback threw synchronously on unexpected input, causing the exception to bypass TLS error handlers and propagate as an uncaught exception, crashing the Node.js process.
Medium
resolved
resolved
RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs
Bug reported by Arccode was disclosed at April 23, 2026, 9:45 am | Improper Access Control - Generic
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
