{"api_version":"1","generated_at":"2026-06-26T03:58:57+00:00","cve":"CVE-2026-50573","urls":{"html":"https://cve.report/CVE-2026-50573","api":"https://cve.report/api/cve/CVE-2026-50573.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-50573","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-50573"},"summary":{"title":"pnpm: Unsafe default behavior breaks integrity check","description":"pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-25 18:16:39","updated_at":"2026-06-25 19:16:39"},"problem_types":["CWE-345","CWE-345 CWE-345: Insufficient Verification of Data Authenticity"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"6.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-54hh-g5mx-jqcp","name":"https://github.com/pnpm/pnpm/security/advisories/GHSA-54hh-g5mx-jqcp","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-50573","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50573","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"pnpm","product":"pnpm","version":"affected < 10.33.4","platforms":[]},{"source":"CNA","vendor":"pnpm","product":"pnpm","version":"affected >= 11.0.0, < 11.4.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-50573","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-25T17:54:41.646397Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-25T17:54:52.221Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-54hh-g5mx-jqcp"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"pnpm","vendor":"pnpm","versions":[{"status":"affected","version":"< 10.33.4"},{"status":"affected","version":">= 11.0.0, < 11.4.0"}]}],"descriptions":[{"lang":"en","value":"pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-345","description":"CWE-345: Insufficient Verification of Data Authenticity","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-25T16:50:21.093Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/pnpm/pnpm/security/advisories/GHSA-54hh-g5mx-jqcp","tags":["x_refsource_CONFIRM"],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-54hh-g5mx-jqcp"}],"source":{"advisory":"GHSA-54hh-g5mx-jqcp","discovery":"UNKNOWN"},"title":"pnpm: Unsafe default behavior breaks integrity check"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-50573","datePublished":"2026-06-25T16:50:21.093Z","dateReserved":"2026-06-04T21:34:34.427Z","dateUpdated":"2026-06-25T17:54:52.221Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 18:16:39","lastModifiedDate":"2026-06-25 19:16:39","problem_types":["CWE-345","CWE-345 CWE-345: Insufficient Verification of Data Authenticity"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-25T17:54:41.646397Z","id":"CVE-2026-50573","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"50573","Ordinal":"1","Title":"pnpm: Unsafe default behavior breaks integrity check","CVE":"CVE-2026-50573","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"50573","Ordinal":"1","NoteData":"pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0.","Type":"Description","Title":"pnpm: Unsafe default behavior breaks integrity check"}]}}}