Skip to main content

CVE-2026-40176

HIGH
OS Command Injection (CWE-78)
2026-04-14 https://github.com/composer/composer GHSA-wg36-wvj6-r67p
7.8
CVSS 3.1 · Vendor: https://github.com/composer/composer
Share

Severity by source

Vendor (https://github.com/composer/composer) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/composer/composer).

CVSS VectorVendor: https://github.com/composer/composer

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 15, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 14, 2026 - 22:37 vuln.today
Analysis Generated
Apr 14, 2026 - 20:31 vuln.today
CVE Published
Apr 14, 2026 - 20:03 nvd
HIGH 7.8

DescriptionCVE.org

Impact

The Perforce::generateP4Command() method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository could inject arbitrary commands through these values, leading to command execution in the context of the user running Composer. Composer would execute these injected commands even if Perforce is not installed.

VCS repositories are only loaded from the root composer.json file located in the directory you execute Composer commands in and from the composer config directory (e.g. ~/.config/composer/composer.json). So this vulnerability cannot be exploited through composer.json files of packages installed as dependencies.

You are at risk of command execution if you run Composer commands on untrusted projects with attacker supplied composer.json files, regardless of whether you or any of your dependencies use Perforce.

Patches

Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)

Workarounds

  • Carefully inspect composer.json files before running Composer on them. Verify that Perforce-related fields contain valid values.
  • Only run Composer commands on projects from trusted sources.

AnalysisAI

Command injection in Composer's Perforce integration allows arbitrary code execution when processing malicious composer.json files. Attackers controlling VCS repository configuration can inject shell commands via unsanitized Perforce connection parameters (port, user, client), which execute even without Perforce installed. CVSS 7.8 (High) with local attack vector requiring user interaction. Affects Composer versions before 2.2.27 and 2.9.6. Exploitation requires victim to run Composer commands on attacker-controlled project root composer.json, limiting scope to supply chain or social engineering scenarios. No KEV listing or public POC identified at time of analysis, but exploitation barrier is low once malicious config is introduced.

Technical ContextAI

Composer is PHP's dependency management tool that supports multiple version control systems including Perforce. The vulnerability exists in the Perforce::generateP4Command() method, which constructs shell commands by directly interpolating user-controlled input from composer.json VCS repository configuration fields. This is a classic CWE-78 OS Command Injection flaw where insufficient input validation allows metacharacter injection into shell command strings. The affected configuration parameters (port, user, client) are passed to shell execution contexts without proper escaping or sanitization. Critically, the vulnerable code path executes regardless of whether Perforce binaries are installed on the system, meaning all Composer users are exposed. The attack surface is constrained to root-level composer.json files (project directory or ~/.config/composer/composer.json), not dependency manifests, which prevents transitive exploitation through the package ecosystem.

RemediationAI

Upgrade immediately to Composer 2.2.27 for users on the 2.2 LTS branch or Composer 2.9.6 for users on the mainline branch. These versions implement proper input sanitization and escaping for Perforce connection parameters. Users can verify their current version with 'composer --version' and upgrade using 'composer self-update --2.2' for LTS or 'composer self-update' for mainline. The official security advisory is available at https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p with detailed technical information. As interim mitigation if immediate patching is not feasible, implement strict code review processes for all composer.json files before executing Composer commands, particularly inspecting any VCS repository declarations for suspicious or malformed values in port, user, and client fields. Restrict Composer execution to trusted project sources only and consider implementing file integrity monitoring for composer.json changes in production environments.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-40176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy