← Back to feed
Update:
[MODERATE] GHSA-hcf7-66rw-9f5r: Trubo: Login callback CSRF/session fixation
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Impact Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before th
Why it matters → turbo released an update. Review the changelog for relevant changes.
Who should care → Teams using turbo.
turbovercel
View original source ↗Source payload preview
{
"ghsaId": "GHSA-hcf7-66rw-9f5r",
"summary": "Trubo: Login callback CSRF/session fixation",
"severity": "MODERATE",
"updatedAt": "2026-05-19T19:49:55Z",
"references": [
{
"url": "https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45773"
},
{
"url": "https://github.com/advisories/GHSA-hcf7-66rw-9f5r"
}
],
"description": "### Impact\n\nTurborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could c
…