CVE-2026-0775: Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

January 23, 2026 (updated February 6, 2026)

Duplicate Advisory

This advisory has been withdrawn because describes a dependency bump and therefore, per CVE CNA rule 4.1.12, is a duplicate of GHSA-34x7-hfp2-rc4v/CVE-2026-24842. Additionally, per https://github.com/npm/cli/issues/8939#issuecomment-3862719883, npm cli should not be listed as an affected product. This link is maintained to preserve external references.

Original Description

npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-0775 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →