CVE-2026-50021 | pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm… | CVSS 6.8 MEDIUM

Description

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.

Metadata

CVE ID: CVE-2026-50021
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-02 22:46 UTC
Published: 2026-06-25 16:48 UTC
Last updated: 2026-06-25 16:48 UTC
Primary CWE: CWE-354
CWE-354: Improper Validation of Integrity Check Value
Vendor / Product: pnpm / pnpm
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
pnpm	pnpm	—	< 10.34.0, >= 11.0.0, < 11.4.0

Weakness (CWE)

CWE	Source	Description
CWE-354	cna	CWE-354: Improper Validation of Integrity Check Value

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References (1)

https://github.com/pnpm/pnpm/security/advisories/GHSA-q6j5-fjx5-2mc3 https://github.com/pnpm/pnpm/security/advisories/GHSA-q6j5-fjx5-2mc3