CVE-2026-45773

6.5 MEDIUM

Turborepo is a high-performance build system for JavaScript and TypeScript codebases

Published: 2026-05-15 · Last updated: 2026-05-19

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-352, CWE-384

Affected products

Vendor	Product
vercel	turborepo

Description

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45773
[Vendor advisory]https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r

Related CVEs

Same vendor

CVE-2026-8769 — A vulnerability was determined in vercel ai up to 3.0.97 (4.3 MEDIUM)
CVE-2026-8768 — A vulnerability was found in vercel ai up to 3.0.97 (7.3 HIGH)
CVE-2026-8767 — A vulnerability has been found in vercel ai up to 3.0.97 (5.0 MEDIUM)
CVE-2026-46508 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (7.8 HIGH)
CVE-2026-45772 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (9.8 CRITICAL)

Same CWE

CVE-2026-48612 — Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’... (8.0 HIGH)
CVE-2022-47150 — Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery (4.3 MEDIUM)
CVE-2022-44630 — Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery (4.6 MEDIUM)
CVE-2024-32110 — Cross-Site request forgery (CSRF) vulnerability in Magepeople inc (4.3 MEDIUM)
CVE-2026-53739 — Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which ... (4.3 MEDIUM)