Vulnerability Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-50017?
CVE-2026-50017 is a documented vulnerability. pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case,...
How severe is CVE-2026-50017?
CVSS scoring is not yet available for CVE-2026-50017. Check NVD for updates.
Is there a patch for CVE-2026-50017?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.