CSRF Vulnerability in Turborepo Build System by Vercel
CVE-2026-45773

5.1MEDIUM

Key Information:

Vendor: Vercel
Status: Turborepo
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-45773?

Turborepo, a high-performance build system for JavaScript and TypeScript, contains a CSRF vulnerability in versions prior to 2.9.14. This weakness arises from the lack of validation for the CSRF state value during self-hosted login and SSO browser flows on the localhost callback. If a malicious web page sends a request with an attacker-controlled token while the CLI is waiting for authentication, it may accept incorrect credentials before a legitimate callback is processed. Importantly, this vulnerability impacts users authenticating the turbo CLI against self-hosted remote cache/auth endpoints, while Vercel-hosted login flows using device authorization remain unaffected. Users should upgrade to version 2.9.14 to mitigate this risk.

Affected Version(s)

turborepo < 2.9.14

References

https://github.com/vercel/turborepo/security/advisories/G...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45773 Data

JSON