Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.
Published: 2026-06-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pnpm, a popular package manager, improperly binds a user’s unscoped npm authentication token to a registry specified by a repository’s local .npmrc file. Before version 10.34.0 and 11.4.0, the token is sent as an Authorization header to the registry chosen by the .npmrc file, potentially exposing the token and allowing the attacker to impersonate the user. The weakness is in credential storage (CWE‑201) and insecure credential handling (CWE‑522).

Affected Systems

pnpm 10.x versions earlier than 10.34.0 and pn than 11.4.0 are vulnerable. The vulnerability arises when a repository includes a .npmrc that sets the registry property but omits an explicit auth entry.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV. Based on the most likely attack vector would involve a repository maintainer or collaborator placing a malicious .npmrc file in a project, configuring the registry to point to an attacker, which leads to the token being sent as an Authorization header to the remote registry.

Generated by OpenCVE AI on July 14, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later.
  • Review all repository .npmrc files to ensure the registry setting does not point to an unintended or untrusted registry URL.
  • If the custom registry, remove the registry= line or set it to the same URL as the user’s default registry.

Generated by OpenCVE AI on July 14, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cjhr-43r9-cfmw pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
History

Tue, 07 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-201
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate


Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Pnpm
Pnpm pnpm
Vendors & Products Pnpm
Pnpm pnpm

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.
Title pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Weaknesses CWE-200
CWE-522
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:42:51.869Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50017

cve-icon Vulnrichment

Updated: 2026-06-26T18:38:02.499Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T16:56:04Z

Links: CVE-2026-50017 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T01:45:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-201

    Insertion of Sensitive Information Into Sent Data

  • CWE-522

    Insufficiently Protected Credentials