CVE-2026-45772

9.8 CRITICAL

Turborepo is a high-performance build system for JavaScript and TypeScript codebases

Published: 2026-05-15 · Last updated: 2026-05-19

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-426

Affected products

Vendor	Product
vercel	turborepo

Description

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45772
[Vendor advisory]https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726

Related CVEs

Same vendor

CVE-2026-8769 — A vulnerability was determined in vercel ai up to 3.0.97 (4.3 MEDIUM)
CVE-2026-8768 — A vulnerability was found in vercel ai up to 3.0.97 (7.3 HIGH)
CVE-2026-8767 — A vulnerability has been found in vercel ai up to 3.0.97 (5.0 MEDIUM)
CVE-2026-46508 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (7.8 HIGH)
CVE-2026-45773 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (6.5 MEDIUM)

Same CWE

CVE-2026-53819 — OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can overri... (8.8 HIGH)
CVE-2026-48565 — Untrusted search path in Windows Narrator Braille allows an authorized attacker to elevate privileges locally (7.8 HIGH)
CVE-2026-47648 — Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally (7.0 HIGH)
CVE-2026-24064 — Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability (7.8 HIGH)
CVE-2026-11401 — An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remot... (8.0 HIGH)