Improper validation of integrity check value in pnpm - CVE-2026-50021
Published: June 15, 2026
Vulnerability identifier: #VU134546
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-50021
CWE-ID: CWE-354
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: pnpm
Affected software:
pnpm
pnpm
Detailed vulnerability description
The vulnerability allows a remote user to install altered package content without an integrity error.
The vulnerability exists due to improper validation of integrity check value in the tarball extraction worker when processing lockfile resolutions that omit the integrity field. A remote user can modify pnpm-lock.yaml to remove the integrity field and cause the referenced registry URL to serve altered package content to install altered package content without an integrity error.
The issue affects pnpm install with --frozen-lockfile because integrity verification is silently skipped when the lockfile entry lacks an integrity value.
How to mitigate CVE-2026-50021
Install security update from vendor's website.