CVE-2026-50017
Severity CVSS v4.0:
MEDIUM
Type:
CWE-200
Information Leak / Disclosure
Publication date:
25/06/2026
Last modified:
30/06/2026
Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:* | 10.34.0 (excluding) | |
| cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:* | 11.0.0 (including) | 11.4.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



