CVE-2026-45772
Arbitrary Code Execution vulnerability in turbo (npm)

Arbitrary Code Execution No known exploit

What is CVE-2026-45772 About?

Turborepo is vulnerable to arbitrary code execution when run in untrusted repositories containing malicious Yarn configuration. This flaw allows an attacker to execute arbitrary code on a user's system by manipulating the `yarnPath` setting in a `.yarnrc.yml` file. Exploitation is highly effective when a user or CI system runs affected Turborepo commands on a malicious repository.

Affected Software

  • turbo
    • >=1.1.0, <2.9.14
  • @turbo/codemod
    • >=2.3.4, <2.9.14
  • @turbo/workspaces
    • >=2.3.4, <2.9.14

Technical Details

The vulnerability stems from Turborepo's package manager detection mechanism. In affected versions, the system executes yarn --version from the project directory. This command, when run in a repository controlled by an attacker, can cause Yarn to load and execute a malicious yarnPath value defined within a .yarnrc.yml file. An attacker can place a crafted yarnPath pointing to an executable under their control, leading to arbitrary code execution when a user or CI system runs turbo, @turbo/codemod, or @turbo/workspace conversion commands within the untrusted repository.

What is the Impact of CVE-2026-45772?

Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full system compromise, data theft, or further network penetration.

What is the Exploitability of CVE-2026-45772?

Exploitation requires an attacker to control the contents of a repository that is then cloned and used by a victim. The complexity of the attack is low for a prepared attacker. No authentication is required for the attacker to set up the malicious repository, but the victim must execute Turborepo commands within it. No special privileges are needed beyond the ability to run turbo commands in the repository. This is a local exploitation scenario, as the victim must interact with the malicious repository on their system. The primary risk factor is users cloning and working with untrusted repositories, particularly in CI/CD environments where automated tools may execute Turborepo commands.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-45772?

Available Upgrade Options

  • @turbo/workspaces
    • >=2.3.4, <2.9.14 → Upgrade to 2.9.14
  • turbo
    • >=1.1.0, <2.9.14 → Upgrade to 2.9.14
  • @turbo/codemod
    • >=2.3.4, <2.9.14 → Upgrade to 2.9.14

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-45772?

Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-28155 , CVE-2022-24750 , CVE-2021-43825 , CVE-2020-15168

All Rights reserved 2025
Privacy Policy