CVE-2026-40176
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/composer/composer).
CVSS VectorVendor: https://github.com/composer/composer
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Impact
The Perforce::generateP4Command() method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository could inject arbitrary commands through these values, leading to command execution in the context of the user running Composer. Composer would execute these injected commands even if Perforce is not installed.
VCS repositories are only loaded from the root composer.json file located in the directory you execute Composer commands in and from the composer config directory (e.g. ~/.config/composer/composer.json). So this vulnerability cannot be exploited through composer.json files of packages installed as dependencies.
You are at risk of command execution if you run Composer commands on untrusted projects with attacker supplied composer.json files, regardless of whether you or any of your dependencies use Perforce.
Patches
Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)
Workarounds
- Carefully inspect composer.json files before running Composer on them. Verify that Perforce-related fields contain valid values.
- Only run Composer commands on projects from trusted sources.
AnalysisAI
Command injection in Composer's Perforce integration allows arbitrary code execution when processing malicious composer.json files. Attackers controlling VCS repository configuration can inject shell commands via unsanitized Perforce connection parameters (port, user, client), which execute even without Perforce installed. CVSS 7.8 (High) with local attack vector requiring user interaction. Affects Composer versions before 2.2.27 and 2.9.6. Exploitation requires victim to run Composer commands on attacker-controlled project root composer.json, limiting scope to supply chain or social engineering scenarios. No KEV listing or public POC identified at time of analysis, but exploitation barrier is low once malicious config is introduced.
Technical ContextAI
Composer is PHP's dependency management tool that supports multiple version control systems including Perforce. The vulnerability exists in the Perforce::generateP4Command() method, which constructs shell commands by directly interpolating user-controlled input from composer.json VCS repository configuration fields. This is a classic CWE-78 OS Command Injection flaw where insufficient input validation allows metacharacter injection into shell command strings. The affected configuration parameters (port, user, client) are passed to shell execution contexts without proper escaping or sanitization. Critically, the vulnerable code path executes regardless of whether Perforce binaries are installed on the system, meaning all Composer users are exposed. The attack surface is constrained to root-level composer.json files (project directory or ~/.config/composer/composer.json), not dependency manifests, which prevents transitive exploitation through the package ecosystem.
RemediationAI
Upgrade immediately to Composer 2.2.27 for users on the 2.2 LTS branch or Composer 2.9.6 for users on the mainline branch. These versions implement proper input sanitization and escaping for Perforce connection parameters. Users can verify their current version with 'composer --version' and upgrade using 'composer self-update --2.2' for LTS or 'composer self-update' for mainline. The official security advisory is available at https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p with detailed technical information. As interim mitigation if immediate patching is not feasible, implement strict code review processes for all composer.json files before executing Composer commands, particularly inspecting any VCS repository declarations for suspicious or malformed values in port, user, and client fields. Restrict Composer execution to trusted project sources only and consider implementing file integrity monitoring for composer.json changes in production environments.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-wg36-wvj6-r67p