CVE-2026-45773
MEDIUMDescription
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.
Is your site exposed to CVE-2026-45773?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| vercel | turborepo |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-45773? +
How severe is CVE-2026-45773? +
What products are affected by CVE-2026-45773? +
How do I check if I'm vulnerable to CVE-2026-45773? +
Related Vulnerabilities
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does …
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does …
Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSRF) as the form available under …
Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows …
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or …
Versions of Gliffy Online prior to versions 4.14.0-7 contains a Cross Site Request Forgery (CSRF) flaw.