Vulnerability Details CVE-2026-50014
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as --upload-pack=<command>. For SSH and local transports, --upload-pack can execute the supplied command. HTTPS transports ignore --upload-pack, so the practical attack surface is primarily SSH or local git dependencies. This vulnerability is fixed in 10.34.0 and 11.4.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 6.6%
CVSS Severity
CVSS v3 Score 6.4
References
Products affected by CVE-2026-50014
-
cpe:2.3:a:pnpm:pnpm:11.0.0
-
cpe:2.3:a:pnpm:pnpm:11.0.1
-
cpe:2.3:a:pnpm:pnpm:11.0.2
-
cpe:2.3:a:pnpm:pnpm:11.0.3
-
cpe:2.3:a:pnpm:pnpm:11.0.4
-
cpe:2.3:a:pnpm:pnpm:11.0.5
-
cpe:2.3:a:pnpm:pnpm:11.0.6
-
cpe:2.3:a:pnpm:pnpm:11.0.7
-
cpe:2.3:a:pnpm:pnpm:11.0.8
-
cpe:2.3:a:pnpm:pnpm:11.0.9
-
cpe:2.3:a:pnpm:pnpm:11.1.0
-
cpe:2.3:a:pnpm:pnpm:11.1.1
-
cpe:2.3:a:pnpm:pnpm:11.1.2
-
cpe:2.3:a:pnpm:pnpm:11.1.3
-
cpe:2.3:a:pnpm:pnpm:11.2.0
-
cpe:2.3:a:pnpm:pnpm:11.2.1
-
cpe:2.3:a:pnpm:pnpm:11.2.2
-
cpe:2.3:a:pnpm:pnpm:11.3.0