{"uuid": "d9f3ed2c-8d02-4600-a9d4-64cf473798e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45773", "type": "seen", "source": "https://gist.github.com/alon710/e381dedd3ac6c2888e1321e911d4bec9", "content": "# CVE-2026-45773: CVE-2026-45773: Cross-Site Request Forgery and Session Fixation in Turborepo CLI\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45773\n\n## Summary\nVercel Turborepo CLI versions prior to 2.9.14 are vulnerable to Cross-Site Request Forgery (CSRF) and Session Fixation during self-hosted remote cache authentication. The local callback server fails to validate the OAuth2 state parameter, allowing malicious websites to inject attacker-controlled tokens and compromise build environments.\n\n## TL;DR\nTurborepo CLI < 2.9.14 lacks state validation in its local authentication callback, enabling attackers to bind a developer's session to an attacker-controlled account via a drive-by request to localhost.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-352, CWE-384\n- **Attack Vector**: Network (Loopback)\n- **CVSS**: 6.5\n- **EPSS**: 0.00023\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Turborepo CLI (Self-Hosted Remote Cache Configurations)\n- **Turborepo**: < 2.9.14 (Fixed in: `2.9.14`)\n\n## Mitigation\n\n- Upgrade Turborepo CLI to version 2.9.14 or later.\n- Execute 'turbo logout' to clear potentially compromised session tokens.\n- Enforce strict state validation and PKCE on the self-hosted identity provider.\n\n**Remediation Steps:**\n1. Identify installed Turborepo versions using 'turbo --version'.\n2. Run 'npm install -g turbo@latest' or equivalent to update the CLI.\n3. Run 'turbo logout' to invalidate existing configurations.\n4. Re-authenticate using 'turbo login' with the patched binary.\n\n## References\n\n- [Vendor Advisory (GHSA)](https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r)\n- [NVD Record](https://nvd.nist.gov/vuln/detail/CVE-2026-45773)\n- [Sonatype Vulnerability Guide](https://guide.sonatype.com/vulnerabilities)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45773) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-19T20:10:50.000000Z"}