CVE-2026-45773: CWE-352: Cross-Site Request Forgery (CSRF) in vercel turborepo
A Cross-Site Request Forgery (CSRF) vulnerability exists in Turborepo versions prior to 2. 9. 14 affecting the self-hosted login and SSO browser flows. The issue arises because the localhost callback does not validate a CSRF state value, allowing a malicious web page to send a request with an attacker-controlled token. This can cause the CLI to complete login with incorrect credentials if the malicious request is accepted before the legitimate one. Vercel-hosted login flows using device authorization are not affected. This vulnerability has a CVSS score of 5. 1 (medium severity) and is fixed in version 2. 9. 14.
AI Analysis
Technical Summary
Turborepo before version 2.9.14 contains a CSRF vulnerability in its self-hosted login and SSO browser flows. Specifically, the localhost callback server does not validate the CSRF state parameter, enabling an attacker to send a crafted request with a malicious token during the CLI authentication process. If this malicious request is processed before the legitimate callback, the CLI may authenticate with the attacker's credentials. This affects only users authenticating the turbo CLI against self-hosted remote cache or authentication endpoints. Vercel's cloud-hosted login flows using device authorization are not vulnerable. The issue is resolved in Turborepo 2.9.14.
Potential Impact
An attacker can trick the Turborepo CLI into completing login with attacker-controlled credentials by exploiting the lack of CSRF state validation in self-hosted login flows. This could lead to unauthorized access or misuse of the CLI session in environments using self-hosted remote cache or authentication endpoints. The vulnerability does not affect Vercel-hosted login flows that use device authorization.
Mitigation Recommendations
This vulnerability is fixed in Turborepo version 2.9.14. Users should upgrade to version 2.9.14 or later to remediate the issue. Since no official remediation level or patch link is provided beyond this version information, users should verify the upgrade from the vendor's official release notes or advisory. No additional mitigations are indicated.
CVE-2026-45773: CWE-352: Cross-Site Request Forgery (CSRF) in vercel turborepo
Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in Turborepo versions prior to 2. 9. 14 affecting the self-hosted login and SSO browser flows. The issue arises because the localhost callback does not validate a CSRF state value, allowing a malicious web page to send a request with an attacker-controlled token. This can cause the CLI to complete login with incorrect credentials if the malicious request is accepted before the legitimate one. Vercel-hosted login flows using device authorization are not affected. This vulnerability has a CVSS score of 5. 1 (medium severity) and is fixed in version 2. 9. 14.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Turborepo before version 2.9.14 contains a CSRF vulnerability in its self-hosted login and SSO browser flows. Specifically, the localhost callback server does not validate the CSRF state parameter, enabling an attacker to send a crafted request with a malicious token during the CLI authentication process. If this malicious request is processed before the legitimate callback, the CLI may authenticate with the attacker's credentials. This affects only users authenticating the turbo CLI against self-hosted remote cache or authentication endpoints. Vercel's cloud-hosted login flows using device authorization are not vulnerable. The issue is resolved in Turborepo 2.9.14.
Potential Impact
An attacker can trick the Turborepo CLI into completing login with attacker-controlled credentials by exploiting the lack of CSRF state validation in self-hosted login flows. This could lead to unauthorized access or misuse of the CLI session in environments using self-hosted remote cache or authentication endpoints. The vulnerability does not affect Vercel-hosted login flows that use device authorization.
Mitigation Recommendations
This vulnerability is fixed in Turborepo version 2.9.14. Users should upgrade to version 2.9.14 or later to remediate the issue. Since no official remediation level or patch link is provided beyond this version information, users should verify the upgrade from the vendor's official release notes or advisory. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T07:45:21.251Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a074490ec166c07b0660928
Added to database: 5/15/2026, 4:06:40 PM
Last enriched: 5/15/2026, 4:21:45 PM
Last updated: 5/15/2026, 5:07:20 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.