CVE-2026-50021
pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.
| CWE | CWE-354 |
| Vendor | pnpm |
| Product | pnpm |
| Published | Jun 25, 2026 |
| Last Updated | Jun 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for pnpm pnpm
Be the first to know when new medium vulnerabilities affecting pnpm pnpm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
pnpm / pnpm
< 10.34.0 >= 11.0.0, < 11.4.0