CVE-2026-45321 - Vulnerability Analysis
CriticalCVSS: 9.6Last Updated: May 12, 2026
TanStack @tanstack/* - Authentication Bypass & Remote Code Execution
Published: May 12, 2026Updated: May 12, 2026PoC AvailableRemote Exploitable
Overview
TanStack @tanstack/* packages contain a credential-stealing malware injection caused by chained vulnerabilities in GitHub Actions workflows and OIDC token extraction, letting attackers publish malicious versions under trusted identity, exploit requires GitHub Actions misconfiguration and cache poisoning.
Severity & Score
Severity: Critical
CVSS Score: 9.6
Impact
Attackers can publish malicious package versions under trusted identity, leading to widespread credential theft and supply chain compromise.
Mitigation
Review and fix GitHub Actions workflows to remove pull_request_target misconfigurations and cache poisoning; rotate credentials and update to clean package versions.
References
- https://github.com/TanStack/router/issues/7383
- https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
- https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
- https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
Related Resources
Details
- CVE ID
- CVE-2026-45321
- Severity
- Critical
- CVSS Score
- 9.6
- Type
- misconfiguration
- Status
- new
CWE
- CWE-506
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H