Vulnerability in pnpm Package Manager Affecting Multiple Versions
CVE-2026-50573

6.8MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-50573?

The pnpm package manager, versions prior to 10.34.0 and 11.4.0, has a vulnerability where the pnpm install command in non-frozen mode can incorrectly accept new remote package content even if the integrity of the downloaded tarball does not match what is specified in the pnpm-lock.yaml file. This occurs when a package has an existing integrity value and later receives inconsistent metadata and tarball content from the registry. Although pnpm detects the initial integrity mismatch, it continues the installation process and updates the lockfile, which poses a risk as the integrity check is not enforced as a strict barrier to installation. Users should upgrade to the patched versions to mitigate this risk.

Affected Version(s)

pnpm < 10.33.4 < 10.33.4

pnpm >= 11.0.0, < 11.4.0 < 11.0.0, 11.4.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-54h...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 4, 2026

CVE-2026-50573 Data

JSON

Pnpm

What is CVE-2026-50573?

Affected Version(s)

References

CVSS V3.1

Timeline