2433090 – (CVE-2026-23890) CVE-2026-23890 pnpm: pnpm: Arbitrary code execution via path traversal in bin linking

Bug 2433090 (CVE-2026-23890) - CVE-2026-23890 pnpm: pnpm: Arbitrary code execution via path traversal in bin linking

Summary: CVE-2026-23890 pnpm: pnpm: Arbitrary code execution via path traversal in bin...

Keywords:
Status:	NEW
Alias:	CVE-2026-23890
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-26 22:01 UTC by OSIDB Bzimport
Modified:	2026-02-18 08:27 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-26 22:01:44 UTC

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages, CI/CD pipelines using pnpm, and those who can overwrite config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.

Note You need to log in before you can comment on or make changes to this bug.