CVE-2026-55698

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp
https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp

Configurations

No configuration.

History

26 Jun 2026, 04:17

Type	Values Removed	Values Added
References	~~() https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp -~~	() https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp -

25 Jun 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-25 18:16

Updated : 2026-06-26 05:16

NVD link : CVE-2026-55698

Mitre link : CVE-2026-55698

CVE.ORG link : CVE-2026-55698

JSON object : View

Products Affected

No product.

CWE

CWE-345

Insufficient Verification of Data Authenticity

CWE-494

Download of Code Without Integrity Check

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

{"id": "CVE-2026-55698", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-55698", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-06-25T00:00:00+00:00"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"status": "affected", "version": "< 10.34.2"}, {"status": "affected", "version": ">= 11.0.0, < 11.5.3"}]}]}], "published": "2026-06-25T18:16:40.837", "references": [{"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp", "source": "security-advisories@github.com"}, {"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-494"}, {"lang": "en", "value": "CWE-829"}]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3."}], "lastModified": "2026-06-26T05:16:30.780", "sourceIdentifier": "security-advisories@github.com"}