CVE-2026-45773: Cross-Site Request Forgery and Session Fixation in Turborepo CLI
Vulnerability ID: CVE-2026-45773
CVSS Score: 6.5
Published: 2026-05-19
Vercel Turborepo CLI versions prior to 2.9.14 are vulnerable to Cross-Site Request Forgery (CSRF) and Session Fixation during self-hosted remote cache authentication. The local callback server fails to validate the OAuth2 state parameter, allowing malicious websites to inject attacker-controlled tokens and compromise build environments.
TL;DR
Turborepo CLI < 2.9.14 lacks state validation in its local authentication callback, enabling attackers to bind a developer's session to an attacker-controlled account via a drive-by request to localhost.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-352, CWE-384
- Attack Vector: Network (Loopback)
- CVSS: 6.5
- EPSS: 0.00023
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- Turborepo CLI (Self-Hosted Remote Cache Configurations)
-
Turborepo: < 2.9.14 (Fixed in:
2.9.14)
Code Analysis
Commit: fb8c9ae
Fix commit implementing state parameter validation for local callback server.
Commit: fc62fe0
Release commit for version 2.9.14 containing the security fix.
Mitigation Strategies
- Upgrade Turborepo CLI to version 2.9.14 or later.
- Execute 'turbo logout' to clear potentially compromised session tokens.
- Enforce strict state validation and PKCE on the self-hosted identity provider.
Remediation Steps:
- Identify installed Turborepo versions using 'turbo --version'.
- Run 'npm install -g turbo@latest' or equivalent to update the CLI.
- Run 'turbo logout' to invalidate existing configurations.
- Re-authenticate using 'turbo login' with the patched binary.
References
Read the full report for CVE-2026-45773 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)