CVE-2026-45793
Received Received - Intake

Information Disclosure in Composer PHP Dependency Manager

Vulnerability report for CVE-2026-45793, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUB_TOKEN values using the ghs_<id>_<base64url-JWT> format can contain -, fail validation, and be disclosed to stderr or CI logs. This issue is fixed in versions 1.10.28, 2.2.28, and 2.9.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
composer composer 1.10.28
composer composer 2.2.28
composer composer 2.9.8
composer composer From 1.0 (inc) to 1.10.28 (exc)
composer composer From 2.0.0 (inc) to 2.2.28 (exc)
composer composer From 2.3.0 (inc) to 2.9.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Composer, a PHP dependency manager. It involves improper validation of GitHub OAuth tokens using a regex that rejects valid tokens containing hyphens. When GitHub Actions GITHUB_TOKEN tokens with hyphens are rejected, they are disclosed in error messages or CI logs.

Impact Analysis

If you use Composer versions before 1.10.28, 2.2.28, or 2.9.8 with GitHub Actions, your GITHUB_TOKEN could be exposed in CI logs. This may lead to unauthorized access to repositories or sensitive data if logs are retained or accessed by attackers.

Compliance Impact

This vulnerability could violate GDPR or HIPAA by exposing authentication tokens in logs, potentially leading to unauthorized access to personal or health data. Compliance requires protecting sensitive credentials, and this flaw undermines that requirement.

Detection Guidance

Check Composer version with 'composer --version'. If using versions 1.0-1.10.27, 2.0.0-2.2.27, or 2.3.0-2.9.7, the system is vulnerable. Review CI logs for GitHub token exposure in error messages.

Mitigation Strategies

Upgrade Composer to versions 1.10.28, 2.2.28, or 2.9.8 or later. Review and redact any exposed tokens in CI logs. Ensure no sensitive tokens remain in error messages or logs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart