Path Traversal Vulnerability in pnpm Package Manager on Windows
CVE-2026-23889

6.5MEDIUM

Key Information:

Vendor

Pnpm

Status
Pnpm
Vendor
CVE Published:
26 January 2026

What is CVE-2026-23889?

A path traversal vulnerability exists in the pnpm package manager prior to version 10.28.1 that affects Windows users. This vulnerability allows malicious packages to write files outside of the intended directory due to inadequate path normalization checks, specifically only validating for './' and not for ''. As a result, this could lead to unintended overwriting of critical files such as .npmrc and configuration files, particularly impacting CI/CD workflows on Windows, including GitHub Actions and Azure DevOps. Users are advised to upgrade to version 10.28.1 or later to mitigate this risk.

Affected Version(s)

pnpm < 10.28.1

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-6x9...
x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc9...
x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.