What is GHSA-hcf7-66rw-9f5r?

GHSA-hcf7-66rw-9f5r is a security advisory published by GitHub Security Advisories with Medium severity. Trubo: Login callback CSRF/session fixation

Which CVE IDs does GHSA-hcf7-66rw-9f5r cover?

GHSA-hcf7-66rw-9f5r covers the following CVE IDs: CVE-2026-45773. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-hcf7-66rw-9f5r?

GHSA-hcf7-66rw-9f5r affects 1 product, including: npm/turbo:\u003c= 2.9.13.

GHSA-hcf7-66rw-9f5rMedium

Trubo: Login callback CSRF/session fixation

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-45773 →

📋 Description

Impact

Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials.

This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected.

Fix

The login and SSO redirect flows now generate a random state value, include it in the browser authentication URL, and require the same value on the localhost callback before accepting a token. Callbacks with a missing or mismatched state are rejected.

Workarounds

If you cannot upgrade immediately, avoid browser-based self-hosted turbo login or SSO flows on machines that may load untrusted web content during authentication. Use a pre-provisioned token or environment-based authentication instead.

🎯 Affected products1

npm/turbo:<= 2.9.13

🔗 CVE IDs covered (1)

📋 Description

Impact

Fix

Workarounds

🎯 Affected products1

🔗 References (3)