Path Traversal Vulnerability in pnpm Package Manager by pnpm
CVE-2026-23890

6.5MEDIUM

Key Information:

Vendor

Pnpm

Status
Pnpm
Vendor
CVE Published:
26 January 2026

What is CVE-2026-23890?

A path traversal vulnerability exists in pnpm's bin linking functionality that allows malicious npm packages to create executable shims or symlinks outside the intended node_modules/.bin directory. This flaw occurs because bin names beginning with @ can bypass initial validation checks. As a result, path traversal sequences such as ../../ can lead to the overwriting of critical configuration files, scripts, or other sensitive data on the system. Users and CI/CD pipelines utilizing pnpm before version 10.28.1 are at risk. Version 10.28.1 includes a patch to mitigate this issue.

Affected Version(s)

pnpm < 10.28.1

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-xpq...
x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91...
x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.