Information disclosure in Pnpm
CVE-2026-50017
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a defau…
Vulnerability class: Information Disclosure
Affected products
- Pnpm — versions < 10.33.4, >= 11.0.0, < 11.4.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)