CVE-2026-23890: pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

January 26, 2026 (updated January 29, 2026)

A path traversal vulnerability in pnpm’s bin linking allows malicious npm packages to create executable shims or symlinks outside of node_modules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact.

References

github.com/advisories/GHSA-xpqm-wm3m-f34h
github.com/pnpm/pnpm
github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
github.com/pnpm/pnpm/releases/tag/v10.28.1
github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
nvd.nist.gov/vuln/detail/CVE-2026-23890

Code Behaviors & Features

Detect and mitigate CVE-2026-23890 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →