CVE-2026-50017

Vulnerability Description

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.

Vulnerability Details

Published Date

June 25, 2026

Last Modified

June 25, 2026

CWE ID

CWE-200

Source

NVD

Vendor

pnpm

Product

pnpm

External References

https://github.com/pnpm/pnpm/security/advisories/GHSA-cjhr-43r9-cfmw

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment