PT-2026-41312 · Turborepo · Turborepo

Published

2026-05-15

·

Updated

2026-05-19

·

CVE-2026-45773

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Turborepo versions prior to 2.9.14
Description Turborepo is a high-performance build system for JavaScript and TypeScript codebases. The self-hosted login and SSO browser flows fail to validate a CSRF (Cross-Site Request Forgery) state value on the localhost callback. While the CLI awaits authentication, a malicious web page can send a request to the local callback server using an attacker-controlled token. If this request is processed before the legitimate callback, the CLI may complete the login process using incorrect credentials. This issue specifically affects users authenticating the turbo CLI against self-hosted remote cache or authentication endpoints.
Recommendations Update to version 2.9.14.

Exploit

Fix

CSRF

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45773
GHSA-HCF7-66RW-9F5R

Affected Products

Turborepo