LIVE NEWSROOM · --:-- · May 28, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CVE DATABASE  /  CVE-2026-45321

CVE-2026-45321

TanStack Unspecified Vulnerability

CVSS 9.6 · CRITICAL ⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog

Confirmed exploited in the wild. Added 2026-05-27. Federal remediation due 2026-06-10.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Summary

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

CVSS 3.1 breakdown

Base score9.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack vectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionREQUIRED
ScopeCHANGED
ConfidentialityHIGH
IntegrityHIGH
AvailabilityHIGH

Weakness type (CWE)

Affected products

Tanstack tanstack\/arktype-adapterTanstack tanstack\/eslint-plugin-routerTanstack tanstack\/eslint-plugin-startTanstack tanstack\/historyTanstack tanstack\/nitro-v2-vite-pluginTanstack tanstack\/react-routerTanstack tanstack\/react-router-devtoolsTanstack tanstack\/react-router-ssr-queryTanstack tanstack\/react-startTanstack tanstack\/react-start-clientTanstack tanstack\/react-start-rscTanstack tanstack\/react-start-serverTanstack tanstack\/router-cliTanstack tanstack\/router-coreTanstack tanstack\/router-devtoolsTanstack tanstack\/router-devtools-coreTanstack tanstack\/router-generatorTanstack tanstack\/router-pluginTanstack tanstack\/router-ssr-query-coreTanstack tanstack\/router-utils
Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2026-05-27. Always verify against the vendor advisory before acting.

Scroll to Top