What is CVE-2026-50021?

CVE-2026-50021 is a medium-severity vulnerability in Pnpm, classified under Improper Validation of Integrity Check Value. CVSS score: 6.8/10. Published 2026-06-25.

How severe is CVE-2026-50021?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Vulnerability in Pnpm

CVE-2026-50021

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove…

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N.

Affected products

Pnpm — versions < 10.34.0, >= 11.0.0, < 11.4.0

Weakness classification (CWE)

CWE-354 — Improper Validation of Integrity Check Value

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-50021?: CVE-2026-50021 is a medium-severity vulnerability in Pnpm, classified under Improper Validation of Integrity Check Value. CVSS score: 6.8/10. Published 2026-06-25.
How severe is CVE-2026-50021?: Medium severity. CVSS v3 base score is 6.8 out of 10.