Insufficient verification of data authenticity in pnpm - CVE-2026-50573
Published: June 15, 2026
Vulnerability identifier: #VU134544
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-50573
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: pnpm
Affected software:
pnpm
pnpm
Detailed vulnerability description
The vulnerability allows a remote attacker to install altered package content and compromise integrity protections.
The vulnerability exists due to insufficient verification of data authenticity in pnpm install when processing package downloads whose tarball integrity does not match the value recorded in pnpm-lock.yaml during non-frozen installation. A remote attacker can serve modified package metadata and tarball content for an existing package version to install altered package content and compromise integrity protections.
User interaction is required to run a non-frozen install in a new or clean environment, and the issue does not occur in frozen-lockfile mode.
How to mitigate CVE-2026-50573
Install security update from vendor's website.