Improper Neutralization of Argument Delimiters in a Command in pnpm - CVE-2026-50014
Published: June 15, 2026
Vulnerability identifier: #VU134545
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-50014
CWE-ID: CWE-88
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: pnpm
Affected software:
pnpm
pnpm
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of argument delimiters in the git fetcher when processing a lockfile-controlled git commit value during shallow fetching of git dependencies. A remote user can supply a specially crafted pnpm lockfile value to inject git options and execute arbitrary code.
Exploitation requires user interaction to run pnpm install, and the affected dependency must use SSH or local git transport because HTTPS transport ignores the relevant git option.
How to mitigate CVE-2026-50014
Install security update from vendor's website.