CVE-2026-50017
Undergoing Analysis Undergoing Analysis - In Progress
pnpm Credential Exposure via Registry Override

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50017
EUVD
EUVD-2026-39495
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.0|end_excluding=11.4.0 (exc)
pnpm pnpm to 11.4.0 (exc)
pnpm pnpm 10.34.0
pnpm pnpm 11.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects pnpm, a package manager. Before versions 10.34.0 and 11.4.0, pnpm could unintentionally send a user's unscoped npm authentication credentials to a registry specified by a repository-local .npmrc file. Specifically, if a user's npm configuration includes a default registry and an unscoped _authToken, and the repository sets a different registry URL without providing its own token, pnpm would bind the user's unscoped credential to that repository-selected registry and send it as an Authorization header during normal metadata or install workflows.

This means that sensitive authentication tokens could be sent to unintended registries, potentially exposing user credentials.

Impact Analysis

The vulnerability can lead to the unintended disclosure of a user's npm authentication token to a registry chosen by a repository's local configuration. This could allow unauthorized access to the user's npm account or packages if the registry is malicious or compromised.

Such exposure could result in unauthorized package publishing, downloading private packages, or other malicious activities performed under the user's credentials.

Mitigation Strategies

To mitigate this vulnerability, upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later, where the issue is fixed.

Compliance Impact

This vulnerability causes unscoped user-level npm authentication credentials to be sent to a registry chosen by a repository-local .npmrc file, which can be attacker-controlled. This leads to unauthorized exposure of sensitive credentials.

Such unauthorized credential leakage can result in violations of data protection and privacy regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access.

Therefore, organizations using vulnerable versions of pnpm may face compliance risks due to potential unauthorized disclosure of authentication credentials.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for unexpected Authorization headers being sent to registries specified by repository-local .npmrc files, especially if those registries differ from the user's default npm registry.

One approach is to inspect the .npmrc files in your repositories to identify if they set a registry different from the user's default registry and check if unscoped _authToken credentials are being sent to those registries during pnpm operations.

You can use network monitoring tools like tcpdump or Wireshark to capture HTTP requests during pnpm install or pnpm view commands and look for Authorization headers sent to unexpected registries.

  • Run pnpm commands with verbose logging to observe registry interactions: `pnpm install --reporter=ndjson`
  • Use tcpdump to capture HTTP traffic on port 443 (or 80 if applicable): `sudo tcpdump -i any -A port 443` and filter for Authorization headers.
  • Manually check repository-local .npmrc files for registry overrides: `cat .npmrc | grep registry`
  • Compare the registry URLs in .npmrc files with the user's default npm registry configuration: `npm config get registry`
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart