Integrity Verification Bypass in pnpm Package Manager
CVE-2026-50021

6.8MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-50021?

pnpm is a popular package manager, but earlier versions (prior to 10.34.0 and 11.4.0) exhibit a serious flaw where the tarball extraction worker does not perform integrity verification if the integrity field is missing from the lockfile. This issue allows an attacker to manipulate the pnpm-lock.yaml file to remove the integrity field, potentially serving malicious package content from a compromised registry URL. As a result, executing pnpm install with the --frozen-lockfile option could result in the installation of altered packages without any integrity check, leading to potential security breaches. This vulnerability highlights a critical oversight in pnpm's verification mechanisms, differentiating it from npm, which enforces integrity checks by default.

Affected Version(s)

pnpm < 10.34.0 < 10.34.0

pnpm >= 11.0.0, < 11.4.0 < 11.0.0, 11.4.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-q6j...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-50021 Data

JSON

Pnpm

What is CVE-2026-50021?

Affected Version(s)

References

CVSS V3.1

Timeline