Package Manager Vulnerability in pnpm by pnpm
CVE-2026-50017

6.9MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-50017?

Prior to versions 10.34.0 and 11.4.0, pnpm, a popular package manager, was vulnerable to an issue that allowed the exposure of user-level unscoped npm authentication credentials. This occurred when a repository-local .npmrc file directed pnpm to use a different registry without providing a token-bearing authentication line. When users had an unscoped _authToken set as their npm configuration's default, pnpm mistakenly included these sensitive credentials in requests to the specified registry, leading to potential unauthorized access. The issue has been addressed in subsequent updates.

Affected Version(s)

pnpm < 10.33.4 < 10.33.4

pnpm >= 11.0.0, < 11.4.0 < 11.0.0, 11.4.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-cjh...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-50017 Data

JSON

Pnpm

What is CVE-2026-50017?

Affected Version(s)

References

CVSS V4

Timeline