CVE Catalog

CVE-2026-50017

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

17th percentile — higher than 17% of all known CVEs

Summary

pnpm before versions 10.34.0 and 11.4.0 can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken, while the repository only sets registry= to a different registry URL. During normal pnpm workflows, the user's credentials are bound to the repository-selected registry and sent as an Authorization header.

Risk Assessment

The risk involves unauthorized disclosure of user npm authentication credentials to an external registry, potentially leading to token theft and unauthorized access to packages or user accounts.

Recommendation

It is recommended to immediately upgrade pnpm to version 10.34.0 or 11.4.0, which contain the fix for this vulnerability.

Original NVD description (English source)

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS