CVE-2026-50021
Published: 25 June 2026
Summary
CVE-2026-50021 is a medium-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Pnpm Pnpm. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-39488
Vulnerability details
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and…
more
cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables tampering with package contents via lockfile manipulation and registry control, directly facilitating compromise of software dependencies.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Proper validation of integrity check values is required for reliable tamper detection, directly reducing undetected modification risks.
Requires validation of integrity check values on every resolution response, directly mitigating tampered or corrupted DNS data.
Control mandates proper validation of integrity values (checksums) on prepared data, making flawed validation of those checks ineffective for attackers.
Requires use of proper integrity verification tools, reducing the chance an incorrect check value is accepted.
Requires proper validation of integrity mechanisms, directly mitigating flawed check-value handling.