Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
CVE-2026-45772: Turborepo allows malicious code execution in untrusted repositories
CVE-2026-45772
GHSA-3qcw-2rhx-2726
GHSA-3qcw-2rhx-2726
Summary
Turborepo's build system can run malicious code if you use it in a project from an unknown or untrusted source. This can happen if the project's configuration contains malicious code. To stay safe, update Turborepo to the latest version (2.9.14 or later).
What to do
- Update turbo to version 2.9.14.
- Update turbo codemod to version 2.9.14.
- Update turbo workspaces to version 2.9.14.
- Update turbo @turbo/codemod to version 2.9.14.
- Update turbo @turbo/workspaces to version 2.9.14.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | vercel | turborepo |
>= 1.1.0, < 2.9.14 cpe:2.3:a:vercel:turborepo:*:*:*:*:*:node.js:*:* |
| npm | – | turbo |
>= 1.1.0, < 2.9.14 Fix: upgrade to 2.9.14
|
| npm | turbo | codemod |
>= 2.3.4, < 2.9.14 Fix: upgrade to 2.9.14
|
| npm | turbo | workspaces |
>= 2.3.4, < 2.9.14 Fix: upgrade to 2.9.14
|
| npm | turbo | @turbo/codemod |
>= 2.3.4, < 2.9.14 Fix: upgrade to 2.9.14
|
| npm | turbo | @turbo/workspaces |
>= 2.3.4, < 2.9.14 Fix: upgrade to 2.9.14
|
Original title
Turbo: Unexpected local code execution during Yarn Berry detection
Original description
### Impact
Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnPath` from `.yarnrc.yml`. An attacker who controls repository contents could cause code execution when a user or CI system runs affected `turbo`, `@turbo/codemod`, or `@turbo/workspace` conversion commands.
### Fix
Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as `package.json`, parsing the value of `yarnPath` in `.yarnrc.yml` rather than executing it, and `yarn.lock`, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing `yarn`.
### Workarounds
If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove `.yarnrc.yml` files that define `yarnPath` before running Turborepo, especially in CI or automated tooling that processes external projects.
Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnPath` from `.yarnrc.yml`. An attacker who controls repository contents could cause code execution when a user or CI system runs affected `turbo`, `@turbo/codemod`, or `@turbo/workspace` conversion commands.
### Fix
Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as `package.json`, parsing the value of `yarnPath` in `.yarnrc.yml` rather than executing it, and `yarn.lock`, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing `yarn`.
### Workarounds
If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove `.yarnrc.yml` files that define `yarnPath` before running Turborepo, especially in CI or automated tooling that processes external projects.
nvd CVSS4.0
0.0
Vulnerability type
CWE-426
Published: 19 May 2026 · Updated: 28 May 2026 · First seen: 15 May 2026