PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50017 pnpm CVE debrief

The CVE-2026-50017 vulnerability affects the pnpm package manager, allowing it to send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. This issue was fixed in versions 10.34.0 and 11.4.0. Users of pnpm should update to one of these versions to mitigate the vulnerability. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. The CVE was published on June 25, 2026, and modified on June 30, 2026.

Vendor
pnpm
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-06-30
Advisory published
2026-06-25
Advisory updated
2026-06-30

Who should care

Developers and administrators using the pnpm package manager should be aware of this vulnerability and take steps to mitigate it. This includes updating to a fixed version of pnpm and reviewing their .npmrc files for potential vulnerabilities. Additionally, users of pnpm should be cautious when using unscoped npm authentication credentials.

Technical summary

The pnpm package manager is vulnerable to a credential exposure issue. Prior to versions 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. This occurs during normal pnpm metadata/install workflows, where pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. The vulnerability is fixed in versions 10.34.0 and 11.4.0.

Defensive priority

High priority should be given to updating pnpm to a fixed version. Additionally, users should review their .npmrc files and update their npm authentication credentials as necessary.

Recommended defensive actions

  • Update pnpm to version 10.34.0 or 11.4.0 or later.
  • Review .npmrc files for potential vulnerabilities.
  • Update npm authentication credentials as necessary.
  • Monitor pnpm usage for suspicious activity.
  • Consider implementing additional security measures, such as two-factor authentication.

Evidence notes

The CVE-2026-50017 vulnerability was reported by an unknown source and is classified as a MEDIUM severity issue. The vulnerability affects pnpm versions prior to 10.34.0 and 11.4.0. The CVE was published on June 25, 2026, and modified on June 30, 2026. The vulnerability has a CVSS score of 6.9.

Official resources

This article is AI-assisted and based on the supplied source corpus.