CVE-2026-40176
Command Injection in Composer Perforce VCS Leads to RCE
Publication date: 2026-04-15
Last updated on: 2026-04-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getcomposer | composer | From 1.0.0 (inc) to 2.2.26 (inc) |
| getcomposer | composer | From 2.3.0 (inc) to 2.9.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Composer, a dependency manager for PHP, specifically in versions 1.0 through 2.2.26 and 2.3 through 2.9.5. It is a command injection flaw in the Perforce::generateP4Command() method, which builds shell commands by inserting user-supplied Perforce connection parameters (such as port, user, and client) without properly escaping them.
An attacker can exploit this by crafting a malicious composer.json file that declares a Perforce VCS repository with specially crafted parameters. This allows the attacker to inject and execute arbitrary commands on the system running Composer, even if Perforce itself is not installed.
The vulnerability can only be exploited if Composer commands are run on untrusted projects containing attacker-controlled composer.json files, as VCS repositories are only loaded from the root composer.json or the composer config directory, not from dependencies' composer.json files.
This issue has been fixed in Composer versions 2.2.27 (2.2 LTS) and 2.9.6 (mainline).
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on the system running Composer. An attacker who supplies a malicious composer.json file can execute commands with the privileges of the user running Composer.
- Potential unauthorized access or control over the affected system.
- Execution of malicious code, which could lead to data theft, system compromise, or further attacks.
- Disruption of normal operations due to unauthorized commands.
Users are at risk if they run Composer commands on projects with untrusted or attacker-supplied composer.json files.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Composer to version 2.2.27 (2.2 LTS) or 2.9.6 (mainline) or later, where the issue has been fixed.
Avoid running Composer commands on untrusted projects or with attacker-supplied composer.json files, especially those declaring Perforce VCS repositories.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary commands in the context of the user running Composer by injecting malicious commands through Perforce connection parameters in a composer.json file. This could lead to unauthorized access, data manipulation, or data exfiltration.
Such unauthorized command execution and potential data compromise could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
However, the provided information does not explicitly describe the direct effects on compliance or specific regulatory impacts.