← Back to feed
Update:
[LOW] GHSA-3qcw-2rhx-2726: Turbo: Unexpected local code execution during Yarn Berry detection
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Impact Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a proje
Why it matters → @turbo/workspaces released an update. Review the changelog for relevant changes.
Who should care → Teams using @turbo/workspaces.
@turbo/workspaces
View original source ↗Source payload preview
{
"ghsaId": "GHSA-3qcw-2rhx-2726",
"summary": "Turbo: Unexpected local code execution during Yarn Berry detection",
"severity": "LOW",
"updatedAt": "2026-05-19T19:46:44Z",
"references": [
{
"url": "https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45772"
},
{
"url": "https://github.com/advisories/GHSA-3qcw-2rhx-2726"
}
],
"description": "### Impact \n\nTurborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnP
…