CVE-2026-45773— Turborepo: Login callback CSRF/session fixation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45773
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Turborepo: Login callback CSRF/session fixation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45773
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45773
请登录查看更多情报信息。
- https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5rx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-45773
Same Patch Batch · vercel · 2026-05-15 · 3 CVEs total
| CVE-2026-45772 | Turborepo: Unexpected local code execution during Yarn Berry detection | |
| CVE-2026-46508 | Turborepo: VSCode Extension command injection |
IV. Related Vulnerabilities
Same vendor: vercel
- CVE-2026-46508
Turborepo: VSCode Extension command injection - CVE-2026-45772
Turborepo: Unexpected local code execution during Yarn Berry - CVE-2026-45109
Next.js: Middleware / Proxy bypass in App Router application - CVE-2026-44582
Next.js: Cache poisoning via collisions in React Server Comp - CVE-2026-44581
Next.js: Cross-site scripting in App Router applications usi
Same weakness: CWE-352
- CVE-2026-8425
Notify Odoo <= 1.0.1 - Cross-Site Request Forgery to Setting - CVE-2026-28761
Musetheque V4CSRF漏洞 - CVE-2026-5365
LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'custome - CVE-2026-4527
Cross-Site Request Forgery (CSRF) in GitLab - CVE-2026-44364
misp-modules website - Missing CSRF protection in the websit
V. Comments for CVE-2026-45773
No comments yet