Description
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Turborepo’s self‑hosted login and SSO flows did not verify the CSRF state value on the localhost callback. A malicious web page can send a crafted request to that callback while a user’s CLI is awaiting authentication, allowing the CLI to accept a forged token before the legitimate response. This can cause the turbo client to complete login with incorrect credentials, giving an attacker the ability to impersonate a user and access resources protected by the remote cache or authentication endpoint.

Affected Systems

The vulnerability affects installations of Turborepo earlier than version 2.9.14 that use self‑hosted login or SSO browser flows. Users who authenticate the turbo CLI against a self‑hosted remote cache/auth endpoint are vulnerable; Vercel‑hosted device authorization flows are not impacted.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate risk, and there is no EPSS information or KEV listing. Exploitation requires a user to be visiting an attacker‑controlled web page while the turbo CLI is awaiting authentication, and the attacker must be able to target the localhost callback port. Given the lack of public exploitation evidence, the immediate priority is to address the missing CSRF check by updating the software, but monitoring for suspicious authentication attempts remains prudent.

Generated by OpenCVE AI on May 15, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Turborepo to version 2.9.14 or later where the CSRF validation is implemented.
  • If upgrading is not possible, temporarily disable self‑hosted SSO login in the turbo configuration until a patched version is available.
  • Ensure the localhost callback URL is bound only to the loopback interface and is not exposed to external networks, and consider switching to Vercel‑hosted login flows until the issue is resolved.

Generated by OpenCVE AI on May 15, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.
Title Turborepo: Login callback CSRF/session fixation
Weaknesses CWE-352
CWE-384
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T16:45:06.076Z

Reserved: 2026-05-13T07:45:21.251Z

Link: CVE-2026-45773

cve-icon Vulnrichment

Updated: 2026-05-15T16:45:00.876Z

cve-icon NVD

Status : Received

Published: 2026-05-15T16:16:15.137

Modified: 2026-05-15T16:16:15.137

Link: CVE-2026-45773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T17:30:04Z

Weaknesses