Cyber Resilience

CVE-2026-50573

MediumPublic PoC

Published: 25 June 2026

Published
25 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0011 1.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-50573 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Pnpm Pnpm. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already…

more

locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Bypasses pnpm lockfile integrity verification, enabling registry-supplied altered dependency tarballs to be accepted and installed.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

pnpm
pnpm
≤ 10.34.0 · 11.0.0 — 11.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-345

Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.

addresses: CWE-345

Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.

addresses: CWE-345

Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.

addresses: CWE-345

Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.

addresses: CWE-345

Time synchronization supports reliable freshness verification when checking data authenticity across systems or components.

addresses: CWE-345

Mandates verification of data authenticity for software, firmware, and information.

addresses: CWE-345

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

References