CVE-2026-45773 Overview
CVE-2026-45773 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in Vercel Turborepo, a build system for JavaScript and TypeScript codebases. Versions prior to 2.9.14 fail to validate a CSRF state value on the localhost callback used during self-hosted login and Single Sign-On (SSO) browser flows. A malicious web page can submit an attacker-controlled token to the local callback server while the Turborepo Command Line Interface (CLI) waits for authentication. If the forged request arrives first, the CLI completes login with attacker-supplied credentials. Vercel-hosted login flows using device authorization are not affected.
Critical Impact
Attackers can hijack the turbo CLI authentication flow against self-hosted remote cache and authentication endpoints, causing the CLI to bind to attacker-controlled credentials.
Affected Products
- Vercel Turborepo versions prior to 2.9.14
- Self-hosted Turborepo login flows
- Self-hosted Turborepo SSO browser flows
Discovery Timeline
- 2026-05-15 - CVE-2026-45773 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45773
Vulnerability Analysis
The vulnerability resides in the browser-based authentication handshake between the turbo CLI and self-hosted remote cache or authentication endpoints. The CLI opens a browser session and starts a local HTTP listener to receive the resulting token via a callback URL. During this window, the listener accepts any inbound request that matches the expected callback shape.
Because the callback handler does not validate a CSRF state parameter, it cannot distinguish the legitimate provider response from a request originated by another page in the user's browser. An attacker controlling any tab open during authentication can race the legitimate callback and deliver their own token first. The CLI then persists the attacker's token as the user's credential for subsequent remote cache operations.
Root Cause
The root cause is the absence of CSRF state validation [CWE-352] on the localhost callback endpoint. OAuth-style flows require the client to generate a random state value, pass it to the identity provider, and verify it on the callback. Turborepo's self-hosted login path omitted this binding, so the local server accepted unsolicited callbacks with arbitrary tokens.
Attack Vector
Exploitation requires user interaction: the victim must initiate turbo login or an SSO flow against a self-hosted endpoint while visiting an attacker-controlled or attacker-influenced web page. The malicious page issues a cross-origin request to the localhost callback port with a token chosen by the attacker. If the forged request reaches the CLI before the legitimate provider response, the CLI accepts the attacker's token. The attacker then controls which remote cache or backend the developer's CLI authenticates against, enabling cache poisoning or interception of build artifacts.
No verified public proof-of-concept code is available. See the GitHub Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-45773
Indicators of Compromise
- Unexpected modifications to Turborepo credential files such as ~/.config/turborepo/config.json or platform equivalents shortly after a turbo login attempt.
- Remote cache traffic from developer workstations to hostnames that do not match the organization's sanctioned self-hosted cache endpoint.
- Browser history entries showing third-party pages loaded during a Turborepo authentication session.
Detection Strategies
- Inventory installed turbo CLI versions across developer endpoints and flag any version below 2.9.14.
- Monitor outbound HTTP requests from developer machines to localhost callback ports during authentication windows for unexpected referrers.
- Correlate turbo login invocations with subsequent remote cache destination changes in CI and developer environments.
Monitoring Recommendations
- Log and alert on changes to Turborepo configuration files containing authentication tokens.
- Audit remote cache server access logs for tokens issued to unexpected user accounts or originating from unusual IP addresses.
- Track turbo process executions on engineering endpoints to baseline authentication activity.
How to Mitigate CVE-2026-45773
Immediate Actions Required
- Upgrade Turborepo to version 2.9.14 or later on all developer workstations and Continuous Integration (CI) runners.
- Rotate any tokens issued to self-hosted Turborepo remote cache or authentication endpoints since CSRF-bound tokens may have been planted.
- Re-authenticate the turbo CLI after upgrading to ensure credentials are bound to legitimate provider responses.
Patch Information
The vulnerability is fixed in Turborepo 2.9.14. Vercel published remediation guidance in the GitHub Security Advisory GHSA-hcf7-66rw-9f5r. Upgrade through the standard package manager used to install Turborepo.
Workarounds
- Avoid running turbo login or SSO flows against self-hosted endpoints while untrusted browser tabs are open.
- Use Vercel-hosted login with device authorization, which is not affected by this issue, until upgrade is complete.
- Restrict developer workstation egress so the turbo CLI can only reach approved self-hosted cache and authentication hosts.
# Upgrade Turborepo to the patched release
npm install turbo@2.9.14 --save-dev
# or globally
npm install -g turbo@2.9.14
# Verify installed version
turbo --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
