CVE-2026-23889
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-01-28

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-28
Generated
2026-06-19
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-18
NVD
CVE-2026-23889
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.28.1 (exc)
microsoft windows *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue in the pnpm package manager on Windows systems prior to version 10.28.1. It occurs because the tarball extraction process only checks for './' in paths but not for '.\', which is used as a directory separator on Windows. This allows malicious packages to write files outside the intended package directory by exploiting backslash separators, potentially overwriting important files.

Impact Analysis

The vulnerability can allow attackers to overwrite critical files such as .npmrc, build configuration files, or other important files on Windows systems using pnpm. This can compromise the integrity of your development environment or CI/CD pipelines, especially on Windows runners like GitHub Actions or Azure DevOps, potentially leading to unauthorized changes or disruptions.

Mitigation Strategies

Upgrade pnpm to version 10.28.1 or later, which contains a patch for this path traversal vulnerability. Additionally, review and restrict the use of untrusted packages in Windows environments and CI/CD pipelines to minimize risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart