Cyber Resilience

CVE-2026-50021

MediumPublic PoC

Published: 25 June 2026

Published
25 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0013 2.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-50021 is a medium-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Pnpm Pnpm. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and…

more

cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability enables tampering with package contents via lockfile manipulation and registry control, directly facilitating compromise of software dependencies.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

pnpm
pnpm
≤ 10.34.0 · 11.0.0 — 11.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-354

Proper validation of integrity check values is required for reliable tamper detection, directly reducing undetected modification risks.

addresses: CWE-354

Requires validation of integrity check values on every resolution response, directly mitigating tampered or corrupted DNS data.

addresses: CWE-354

Control mandates proper validation of integrity values (checksums) on prepared data, making flawed validation of those checks ineffective for attackers.

addresses: CWE-354

Requires use of proper integrity verification tools, reducing the chance an incorrect check value is accepted.

addresses: CWE-354

Requires proper validation of integrity mechanisms, directly mitigating flawed check-value handling.

References