Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14802

CVE-2026-14802: React Create-React-App RCE Vulnerability

CVE-2026-14802 is a remote code execution flaw in React Create-React-App up to version 5.0.1 on macOS that allows OS command injection. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-14802 Overview

CVE-2026-14802 is an operating system (OS) command injection vulnerability in Facebook's Create React App up to version 5.0.1 on macOS. The flaw resides in the startBrowserProcess function within openBrowser.js, part of the react-dev-utils component. An attacker who can influence the input passed to this function can inject arbitrary shell commands into the browser-launch process. The exploit is public, and the project maintainers have not responded to the initial issue report. This vulnerability is classified under CWE-77: Improper Neutralization of Special Elements used in a Command.

Critical Impact

Successful exploitation results in arbitrary OS command execution on developer machines running Create React App on macOS, exposing source code, credentials, and local network access.

Affected Products

  • Facebook Create React App versions up to and including 5.0.1
  • react-dev-utils component (openBrowser.js)
  • Development environments running on macOS

Discovery Timeline

  • 2026-07-06 - CVE-2026-14802 published to the National Vulnerability Database (NVD)
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-14802

Vulnerability Analysis

The vulnerability resides in the startBrowserProcess function of openBrowser.js, a helper used by Create React App to automatically launch a browser when the development server starts. On macOS, the helper invokes system commands to open the configured browser using values that are not sufficiently sanitized. When attacker-influenced input reaches this shell invocation, arbitrary commands are appended and executed by the shell.

The issue is remotely reachable because the browser-launch flow can be driven by values sourced from environment variables such as BROWSER, or by project configuration files that may be introduced through a cloned repository or a supply chain path. A developer who clones or opens a malicious project and runs the standard npm start workflow triggers execution.

Root Cause

The root cause is improper neutralization of special elements used in an OS command ([CWE-77]). The startBrowserProcess implementation passes user-controllable values into a shell context without escaping shell metacharacters such as ;, &&, |, and backticks. macOS-specific execution paths (for example, invocations that rely on the open binary and osascript) compound the risk because they route arguments through additional shell interpreters.

Attack Vector

An attacker crafts a malicious project or configuration that supplies a poisoned browser value. When the victim runs the development server, startBrowserProcess concatenates that value into a shell command, and the shell executes attacker-controlled payloads under the developer's user context. No authentication is required, and no additional user interaction beyond running the development server is needed. Public exploit details are referenced in GitHub Issue #17269 and VulDB CVE-2026-14802.

Detection Methods for CVE-2026-14802

Indicators of Compromise

  • Unexpected child processes spawned by node during npm start or react-scripts start, particularly /bin/sh, osascript, or open invocations containing shell metacharacters.
  • Environment variables such as BROWSER containing characters like ;, &&, |, $(, or backticks.
  • Outbound network connections initiated from developer machines immediately after starting a Create React App dev server.

Detection Strategies

  • Inspect .env, .env.local, and shell profiles in cloned repositories for suspicious BROWSER= assignments before running npm install or npm start.
  • Monitor for react-scripts or react-dev-utils processes that launch shell interpreters with arguments outside the expected browser bundle identifiers.
  • Correlate process ancestry using endpoint telemetry to identify node → sh → curl/wget/osascript chains during development server startup.

Monitoring Recommendations

  • Enable command-line auditing on developer macOS endpoints and forward events to a centralized logging platform for review.
  • Alert on any execution of osascript, curl, or wget whose parent process is node running react-scripts.
  • Track outbound DNS and HTTP requests from developer workstations to non-corporate destinations during build and start operations.

How to Mitigate CVE-2026-14802

Immediate Actions Required

  • Do not run npm start on untrusted Create React App projects until the underlying react-dev-utils package is patched or replaced.
  • Unset or sanitize the BROWSER environment variable in developer shells, and remove BROWSER entries from repository .env files that are not explicitly trusted.
  • Review CI/CD pipelines that invoke react-scripts start and disable automatic browser launch by exporting BROWSER=none.

Patch Information

At the time of publication, the Create React App project has not responded to the disclosure and no official patch is available. Track the status through the GitHub Create React App Repository and GitHub Issue #17269. Because Create React App has been formally deprecated by its maintainers, teams should plan migration to actively maintained alternatives such as Vite or Next.js.

Workarounds

  • Set BROWSER=none before starting the development server to bypass the vulnerable startBrowserProcess code path entirely.
  • Pin react-dev-utils to a forked version that escapes shell metacharacters, or replace the browser-open helper with a safe implementation that uses execFile without a shell.
  • Run the development server inside an isolated container or virtual machine to contain any command execution outside the host developer environment.
bash
# Configuration example: disable automatic browser launch to avoid the vulnerable code path
export BROWSER=none
npm start

# Alternatively, per-invocation
BROWSER=none npm start

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.