CVE-2026-46420
Received Received - Intake

Command Injection in setup-php GitHub Action

Vulnerability report for CVE-2026-46420, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

setup-php is a GitHub action to set up PHP with extensions, php.ini configuration, coverage drivers, and tools. From 2.25.0 prior to 2.37.1, shivammathur/setup-php resolves the PHP version from repository-controlled files such as .php-version, composer.lock through platform-overrides.php, and composer.json through config.platform.php, and insufficiently constrains those values before incorporating them into generated shell or PowerShell setup scripts, allowing command injection on a GitHub Actions runner when workflows such as pull_request_target check out attacker-controlled contents before invoking setup-php. This issue is fixed in version 2.37.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
shivammathur setup-php to 2.37.1 (exc)
shivammathur setup-php 2.37.1
shivammathur setup-php From 2.25.0 (inc) to 2.37.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46420 is a command injection vulnerability in the shivammathur/setup-php GitHub Action affecting versions 2.25.0 to 2.37.0. It occurs when the action reads PHP version details from files like .php-version or composer.json without proper validation. Attackers can exploit this by modifying these files in a repository, leading to arbitrary command execution on the GitHub Actions runner if the workflow processes untrusted code before invoking setup-php.

Detection Guidance

This vulnerability is specific to GitHub Actions workflows using shivammathur/setup-php versions 2.25.0 to 2.37.0. Detection involves checking workflow files for uses of setup-php and verifying the version in use. Commands to check include: grep -r "shivammathur/setup-php" .github/workflows/ to find workflows using the action, and grep -r "uses: shivammathur/setup-php@" .github/workflows/ to check the version. If the version is between 2.25.0 and 2.37.0, the system is vulnerable.

Impact Analysis

If you use an affected version of setup-php in workflows that check out untrusted repository contents before running the action, attackers could inject malicious commands. This may allow them to execute arbitrary code on your GitHub Actions runner, potentially compromising your CI/CD pipeline, stealing secrets, or altering build outputs. The risk is higher in workflows like pull_request_target where untrusted pull request code is processed.

Compliance Impact

This vulnerability primarily impacts software supply chain security in CI/CD pipelines rather than directly violating GDPR or HIPAA. However, it could indirectly affect compliance by enabling unauthorized code execution in environments handling sensitive data. For GDPR, this might involve unauthorized processing of personal data if malicious commands access or exfiltrate such data. For HIPAA, it could lead to unauthorized access to protected health information if the GitHub Actions runner processes such data. The vulnerability expands attack surface in workflows handling regulated data.

Mitigation Strategies

Immediately update shivammathur/setup-php to version 2.37.1 or later in all affected workflows. Review workflows using setup-php, especially those triggered by pull_request_target, to ensure no untrusted inputs are passed to the action. Remove or sanitize inputs from untrusted sources like pull request titles, branches, or repository files such as .php-version and composer.json before invoking setup-php.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46420. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart