CVE-2026-14802 Overview
CVE-2026-14802 is an operating system (OS) command injection vulnerability in Facebook's Create React App up to version 5.0.1 on macOS. The flaw resides in the startBrowserProcess function within openBrowser.js, part of the react-dev-utils component. An attacker who can influence the input passed to this function can inject arbitrary shell commands into the browser-launch process. The exploit is public, and the project maintainers have not responded to the initial issue report. This vulnerability is classified under CWE-77: Improper Neutralization of Special Elements used in a Command.
Critical Impact
Successful exploitation results in arbitrary OS command execution on developer machines running Create React App on macOS, exposing source code, credentials, and local network access.
Affected Products
- Facebook Create React App versions up to and including 5.0.1
- react-dev-utils component (openBrowser.js)
- Development environments running on macOS
Discovery Timeline
- 2026-07-06 - CVE-2026-14802 published to the National Vulnerability Database (NVD)
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2026-14802
Vulnerability Analysis
The vulnerability resides in the startBrowserProcess function of openBrowser.js, a helper used by Create React App to automatically launch a browser when the development server starts. On macOS, the helper invokes system commands to open the configured browser using values that are not sufficiently sanitized. When attacker-influenced input reaches this shell invocation, arbitrary commands are appended and executed by the shell.
The issue is remotely reachable because the browser-launch flow can be driven by values sourced from environment variables such as BROWSER, or by project configuration files that may be introduced through a cloned repository or a supply chain path. A developer who clones or opens a malicious project and runs the standard npm start workflow triggers execution.
Root Cause
The root cause is improper neutralization of special elements used in an OS command ([CWE-77]). The startBrowserProcess implementation passes user-controllable values into a shell context without escaping shell metacharacters such as ;, &&, |, and backticks. macOS-specific execution paths (for example, invocations that rely on the open binary and osascript) compound the risk because they route arguments through additional shell interpreters.
Attack Vector
An attacker crafts a malicious project or configuration that supplies a poisoned browser value. When the victim runs the development server, startBrowserProcess concatenates that value into a shell command, and the shell executes attacker-controlled payloads under the developer's user context. No authentication is required, and no additional user interaction beyond running the development server is needed. Public exploit details are referenced in GitHub Issue #17269 and VulDB CVE-2026-14802.
Detection Methods for CVE-2026-14802
Indicators of Compromise
- Unexpected child processes spawned by node during npm start or react-scripts start, particularly /bin/sh, osascript, or open invocations containing shell metacharacters.
- Environment variables such as BROWSER containing characters like ;, &&, |, $(, or backticks.
- Outbound network connections initiated from developer machines immediately after starting a Create React App dev server.
Detection Strategies
- Inspect .env, .env.local, and shell profiles in cloned repositories for suspicious BROWSER= assignments before running npm install or npm start.
- Monitor for react-scripts or react-dev-utils processes that launch shell interpreters with arguments outside the expected browser bundle identifiers.
- Correlate process ancestry using endpoint telemetry to identify node → sh → curl/wget/osascript chains during development server startup.
Monitoring Recommendations
- Enable command-line auditing on developer macOS endpoints and forward events to a centralized logging platform for review.
- Alert on any execution of osascript, curl, or wget whose parent process is node running react-scripts.
- Track outbound DNS and HTTP requests from developer workstations to non-corporate destinations during build and start operations.
How to Mitigate CVE-2026-14802
Immediate Actions Required
- Do not run npm start on untrusted Create React App projects until the underlying react-dev-utils package is patched or replaced.
- Unset or sanitize the BROWSER environment variable in developer shells, and remove BROWSER entries from repository .env files that are not explicitly trusted.
- Review CI/CD pipelines that invoke react-scripts start and disable automatic browser launch by exporting BROWSER=none.
Patch Information
At the time of publication, the Create React App project has not responded to the disclosure and no official patch is available. Track the status through the GitHub Create React App Repository and GitHub Issue #17269. Because Create React App has been formally deprecated by its maintainers, teams should plan migration to actively maintained alternatives such as Vite or Next.js.
Workarounds
- Set BROWSER=none before starting the development server to bypass the vulnerable startBrowserProcess code path entirely.
- Pin react-dev-utils to a forked version that escapes shell metacharacters, or replace the browser-open helper with a safe implementation that uses execFile without a shell.
- Run the development server inside an isolated container or virtual machine to contain any command execution outside the host developer environment.
# Configuration example: disable automatic browser launch to avoid the vulnerable code path
export BROWSER=none
npm start
# Alternatively, per-invocation
BROWSER=none npm start
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

