Vulnerability Description
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pnpm | Pnpm | < 10.28.1 |
Related Weaknesses (CWE)
References
- https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062dPatch
- https://github.com/pnpm/pnpm/releases/tag/v10.28.1Release Notes
- https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34hExploitVendor Advisory
FAQ
What is CVE-2026-23890?
CVE-2026-23890 is a vulnerability with a CVSS score of 6.5 (MEDIUM). pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/...
How severe is CVE-2026-23890?
CVE-2026-23890 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23890?
Check the references section above for vendor advisories and patch information. Affected products include: Pnpm Pnpm.