CVE-2026-49983

MEDIUM 5.2

Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

CVSS Score

5.2

EPSS Score

0.0%

EPSS Percentile

0th

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile() (the Node-compatible API for loading variables from a .env file) does not honor this. It only checks that the program has read permission for the dotenv file, then writes every key in that file into the process environment — even when env access is denied. In effect, --allow-read plus a writable or attacker-controlled .env file is enough to defeat --deny-env. This vulnerability is fixed in 2.8.1.

CWE	CWE-863
Vendor	denoland
Product	deno
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for denoland deno

Be the first to know when new medium vulnerabilities affecting denoland deno are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

denoland / deno

< 2.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/denoland/deno/security/advisories/GHSA-4c8g-jvcx-v4hv