← Back to CVE List
CVE-2026-45793NVD
Vulnerability Summary
Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUB_TOKEN values using the ghs_<id>_<base64url-JWT> format can contain -, fail validation, and be disclosed to stderr or CI logs. This issue is fixed in versions 1.10.28, 2.2.28, and 2.9.8.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
External References
- https://github.com/composer/composer/commit/3f5e7f9fbfa541137d6d1d5643ec3b718e9d5039
- https://github.com/composer/composer/commit/65e6390c49f1a11cd8b660d81822086db51fe2d1
- https://github.com/composer/composer/commit/e66c8fdb7ff5409bd2f358c5f194038e49e93714
- https://github.com/composer/composer/pull/12853
- https://github.com/composer/composer/pull/12855
- https://github.com/composer/composer/releases/tag/1.10.28
- https://github.com/composer/composer/releases/tag/2.2.28
- https://github.com/composer/composer/releases/tag/2.9.8
- https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2