CVE-2026-48790: turso-cli persists Turso platform JWT with world-readable (0o644) file permissions

June 26, 2026

turso-cli persists the user’s Turso platform JWT to settings.json using Viper’s default configPermissions of 0o644, leaving the credential file world-readable on standard Linux and macOS systems. Any other local UID on the host can read the file and recover the platform JWT, which grants full Turso platform access scoped to the user’s organizations.

References

github.com/advisories/GHSA-57f6-pvx8-hwj6
github.com/tursodatabase/turso-cli/security/advisories/GHSA-57f6-pvx8-hwj6
nvd.nist.gov/vuln/detail/CVE-2026-48790

Code Behaviors & Features

Detect and mitigate CVE-2026-48790 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →