CVE-2026-0775 is a local privilege escalation vulnerability identified in npm CLI version 10.9.0. The root cause is an incorrect permission assignment (CWE-732) related to how npm CLI loads modules from unsecured locations. Specifically, the application does not properly restrict or validate the source of modules it loads, allowing an attacker who already has the ability to execute low-privileged code on the system to escalate their privileges. By placing malicious modules in these unsecured locations, the attacker can cause npm CLI to execute arbitrary code with elevated privileges, potentially gaining control over the target user context or system resources. The vulnerability requires the attacker to have some initial foothold with limited privileges but does not require user interaction to exploit. The CVSS 3.0 base score of 7.0 reflects a high severity due to the combined impact on confidentiality, integrity, and availability, although the attack vector is local and requires high attack complexity. No public exploits have been reported yet, but the vulnerability was tracked as ZDI-CAN-25430 before public disclosure. This flaw is particularly concerning in development and continuous integration environments where npm CLI is commonly used, as it could allow attackers to compromise build pipelines or developer machines.

The impact of this vulnerability is significant for organizations relying on npm CLI in their development workflows. Successful exploitation allows attackers to escalate privileges from a low-privileged user to a higher-privileged context, potentially leading to unauthorized access to sensitive code, credentials, or system resources. This can compromise the integrity of software builds, introduce malicious code into production artifacts, or disrupt availability by tampering with critical development tools. Since npm CLI is widely used in software development globally, the vulnerability poses a risk to a broad range of organizations, including software vendors, cloud service providers, and enterprises with in-house development teams. The requirement for local code execution limits remote exploitation but does not eliminate risk, especially in environments where multiple users share systems or where attackers can gain initial access through other means such as phishing or exploiting other vulnerabilities. The lack of known public exploits currently reduces immediate risk but also underscores the importance of proactive mitigation.

To mitigate CVE-2026-0775, organizations should: 1) Restrict the directories and locations from which npm CLI loads modules by configuring secure module paths and avoiding use of globally writable or user-writable directories for module storage. 2) Apply any patches or updates released by npm or the Node.js community as soon as they become available to address this permission assignment flaw. 3) Implement strict access controls on development and build systems to limit the ability of low-privileged users to place or modify modules in critical locations. 4) Employ endpoint protection and monitoring to detect suspicious local activity indicative of privilege escalation attempts. 5) Use containerization or sandboxing for build environments to isolate npm CLI execution and reduce the impact of potential exploits. 6) Educate developers and system administrators about the risks of running npm CLI with elevated privileges and encourage the principle of least privilege. 7) Regularly audit file system permissions and module loading configurations to ensure compliance with security best practices.