HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42089Published Modified CNA GitHub_M

CVE-2026-42089: yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary package installation vulnerability affects yeoman-environment versions 2.9.0 through 6.0.0. The vulnerable installLocalGenerators() method installs packages from caller-supplied names without prompting for user confirmation, meaning an attacker who can influence project configuration files can trigger installation of arbitrary npm packages during CLI bootstrap. Successful exploitation results in arbitrary code execution on the host, as well as full read, write, and availability impact on the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-42089 is available across every HarborGuard environment. Ingestion from upstream advisory feeds occurs within minutes of publication, and the CVE is matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle yeoman-environment.

Available
Triage

HarborGuard scores this CVE at CVSS 8.6 HIGH and weights it against each customer org's per-environment compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    Attacker needs an existing shell or process on the host; no over-the-network exposure is required (AV:L).

  • AuthenticationNot required

    No authentication is required to exploit this vulnerability; an attacker without any account on the system can trigger the vulnerable code path if they can influence project configuration (PR:N).

  • Victim interactionRequired

    A user must perform an action such as running the CLI or opening a project, giving the attacker an opportunity to inject a malicious package name through a crafted configuration file (UI:R).

  • Attack complexityDetail

    The exploit is reliable and condition-free once a malicious package name is in place; no race conditions or special memory layout is required (AC:L).

Blast Radius

  • Arbitrary npm packages chosen by the attacker are installed and executed on the developer or CI host during CLI bootstrap.
  • Attacker-controlled code runs in the context of the process, giving full read access to source code, credentials, environment variables, and any secrets present on the host.
  • The attacker can write or modify files on the host, including project source, build artifacts, or configuration that propagates to downstream deployments.
  • The running process and any dependent services can be crashed or made unavailable by the installed malicious package.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-42089, the platform re-evaluates this advisory on every ingest cycle and will generate a patched-image rebuild automatically the moment yeoman-environment ships a remediated release. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without manual intervention. In the interim, HarborGuard surfaces this CVE against any image found to contain an affected version of yeoman-environment (>=2.9.0, <6.0.1), enabling teams to apply compensating controls such as restricting network egress from CI runners to block outbound npm registry calls, enforcing read-only project configuration paths so untrusted inputs cannot reach installLocalGenerators(), and gating any generator-bootstrapping workflows behind a manual approval step until a patched release is available.

See how HarborGuard automates this
Affected packages
  • yeoman / environment
    >= 2.9.0, < 6.0.1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References