PatchSiren cyber security CVE debrief
CVE-2026-45773 Vercel CVE debrief
CVE-2026-45773 is a medium-severity authentication flow flaw in Turborepo’s self-hosted login and SSO browser flows. Before 2.9.14, the localhost callback did not validate a CSRF state value. If a user was waiting for authentication in the CLI, a malicious web page could send a request to the local callback server with an attacker-controlled token. If that request arrived before the legitimate callback, the CLI could finish login with the wrong credentials. The issue does not affect Vercel-hosted login flows that use device authorization.
- Vendor
- Vercel
- Product
- Turborepo
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-19
Who should care
Organizations running the turbo CLI against self-hosted remote cache or authentication endpoints should pay attention, especially if users authenticate through browser-based login or SSO flows on local machines. Security teams should also review environments where developers regularly sign into CLI tools from browsers while the CLI listens on localhost.
Technical summary
The vulnerability is a CSRF-style weakness in the localhost callback used by Turborepo’s self-hosted login/SSO browser flow. The callback accepted a request without validating a state parameter, so a cross-site request from a malicious web page could potentially preempt the legitimate authentication response. The supplied advisory identifies CWE-352 and CWE-384, and notes the problem is fixed in Turborepo 2.9.14.
Defensive priority
Medium priority. The flaw requires user interaction and a browser-driven authentication flow, but it can cause authentication to complete with the wrong credentials if the local callback is raced successfully. Upgrade urgency is highest for teams using self-hosted Turborepo auth flows.
Recommended defensive actions
- Upgrade Turborepo to version 2.9.14 or later.
- Audit which teams or CI/dev environments use self-hosted remote cache/auth endpoints with browser-based login or SSO.
- Prefer authentication flows that do not rely on a localhost callback when possible.
- Review whether local browser authentication steps are exposed to untrusted browsing activity during sign-in.
- Monitor release notes and security advisories for any follow-up fixes or guidance from the project.
Evidence notes
The CVE description supplied in the source corpus states that, prior to 2.9.14, Turborepo’s self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback, and that the issue is fixed in 2.9.14. NVD metadata lists the issue as undergoing analysis and includes a reference to the GitHub Security Advisory for vercel/turborepo. The supplied NVD CVSS vector and weakness entries support the CSRF/authentication-confusion characterization.
Official resources
-
CVE-2026-45773 CVE record
CVE.org
-
CVE-2026-45773 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed on 2026-05-15T16:16:15.137Z and last modified on 2026-05-18T17:34:50.557Z.