Urgent Update: Composer Vulnerability Leaks GitHub Secrets in Plaintext Logs (CVE-2026-45793)

In a critical security alert for the PHP community, Nils Adermann, Co-Creator of Composer, has issued an urgent advisory regarding a vulnerability that inadvertently leaks sensitive GitHub authentication tokens into public and private CI/CD logs. Tracked as CVE-2026-45793 (CVSS 7.5), this flaw puts thousands of repositories at risk of credential theft.

The vulnerability was triggered by a recent change in GitHub’s infrastructure. GitHub introduced a new structured format for GITHUB_TOKENs and GitHub App installation tokens that includes a hyphen (-).Composer’s internal validation logic, established in 2021, was not designed to recognize this character.

As the advisory explains: “The new format fails Composer’s validation, leading to an error message that exposes the full token contents to stderr”. Because many CI/CD environments capture stderr to generate job logs, these sensitive secrets were written out in plaintext for anyone with log access to see.

The advisory highlights three factors that combined to create this bug:

1. The rejected token was placed verbatim into the error message: “Your github oauth token for github.com contains invalid characters: <full token here>”.
2. The validation regex only permitted [A-Za-z0-9_.], causing the new hyphenated tokens to fail.
3. GitHub Actions’ secret masker often fails to redact these leaks because the error message may wrap or interleave with other text, making exact substring matching impossible.

While GitHub briefly rolled back the new token format to give the ecosystem time to react, the threat remains significant. “Any workflow that configures a GitHub App installation token… and then runs any Composer command will hit it,” the advisory warns.

The risk depends heavily on your environment:

• GitHub-hosted runners: Leaked tokens are generally valid for up to 6 hours.
• Self-hosted runners: Leaked tokens can remain valid for up to 24 hours, creating a much larger window for exploitation.

Nils Adermann and the Composer team have released immediate patches to address the underlying leak primitive. The fix removes the token from the exception message and relaxes the validation regex to accept the new format.

Recommended Actions:

• Update Composer Immediately: Run composer.phar self-update to reach version 2.9.8 or 2.2.28 (LTS).
• Audit Your Logs: If you use GitHub App installation tokens, review your recent Action logs for the “invalid characters” error.
• Rotate Compromised Secrets: If you find a plaintext token in your logs, “delete any token whose plaintext may have been written to a job log… and confirm no unexpected activity occurred”.

If you cannot update immediately, the team recommends disabling any GitHub Actions that run Composer commands until the patch is applied.