CVE-2026-23890 - Vulnerability Details

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h

History

Mon, 26 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description	pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages, CI/CD pipelines using pnpm, and those who can overwrite config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.	pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.

Mon, 26 Jan 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages, CI/CD pipelines using pnpm, and those who can overwrite config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
Title		pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Weaknesses		CWE-23
References		https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d https://github.com/pnpm/pnpm/releases/tag/v10.28.1 https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-26T21:53:40.810Z

Updated: 2026-01-26T22:00:34.275Z

Reserved: 2026-01-16T21:02:02.902Z

Link: CVE-2026-23890

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-26T22:15:56.363

Modified: 2026-01-26T22:15:56.363

Link: CVE-2026-23890

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object