CVE-2026-40261
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/composer/composer).
CVSS VectorVendor: https://github.com/composer/composer
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Impact
The Perforce::syncCodeBase() method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the Perforce::generateP4Command() method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping from the source url field. Composer would execute these injected commands even if Perforce is not installed.
The source reference and url are provided as part of package metadata. Any Composer package repository can serve package metadata declaring perforce as a source type with a malicious source reference or source url. This means the vulnerability can be exploited through any package served by a compromised or malicious Composer repository. An attack does not require Perforce to be installed on the client, as Composer will attempt to execute the constructed command regardless.
This vulnerability is exploitable when installing or updating dependencies from source (--prefer-source, default when installing dev prefixed versions), even if you do not use Perforce.
Patches
Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)
Note, the fix for the source url in the Perforce::generateP4Command() was addressed as part of the patches for GHSA-wg36-wvj6-r67p / CVE-2026-40176 in the same versions.
Workarounds
- Avoid installing dependencies from source by using
--prefer-distor thepreferred-install: distconfig setting. - Only use trusted Composer repositories.
AnalysisAI
Command injection in Composer's Perforce integration allows remote code execution when installing packages from malicious repositories. The vulnerability exists in versions before 2.2.27 and 2.9.6, affecting all users who install dependencies from source (--prefer-source or dev versions) regardless of whether Perforce is installed. Attackers can inject shell commands through crafted source references or connection parameters in package metadata served by compromised Composer repositories. CVSS 8.8 (High) with network attack vector, low complexity, and no authentication required (though user interaction is needed). No confirmed active exploitation (CISA KEV), but publicly available exploit code exists per GitHub advisory disclosure.
Technical ContextAI
Composer is PHP's dependency manager. The vulnerability affects Composer's Perforce version control integration, specifically in the syncCodeBase() and generateP4Command() methods. These methods construct shell commands by concatenating user-controlled input from package metadata without proper escaping or sanitization. The flaw is rooted in CWE-78 (OS Command Injection), where shell metacharacters in the sourceReference parameter and Perforce connection parameters (port, user, client) from source URLs are passed directly to shell execution functions. Critically, Composer attempts to execute these commands even when Perforce is not installed on the system, expanding the attack surface beyond actual Perforce users. The affected packages are identified as pkg:composer/composer_composer in CPE nomenclature, encompassing the mainline and LTS branches prior to the patched versions.
RemediationAI
Upgrade immediately to Composer 2.2.27 (for 2.2 LTS users) or Composer 2.9.6 (for mainline users), which include comprehensive fixes for both the syncCodeBase() and generateP4Command() command injection vulnerabilities. The patches implement proper input sanitization and escaping for source references and Perforce connection parameters. Users can verify their current version with 'composer --version' and upgrade using 'composer self-update --2.2' for LTS or 'composer self-update' for mainline. As interim mitigation, configure Composer to prefer distribution packages over source installation by using the --prefer-dist flag or setting 'preferred-install: dist' in composer.json configuration. Additionally, implement strict controls on allowed Composer repositories and only use trusted sources, as the vulnerability is exploitable through any compromised or malicious package repository. Review and audit existing composer.json and composer.lock files for dependencies from untrusted sources. Full technical details and patches are documented in the GitHub security advisories at github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Web and Scripting 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-gqw4-4w2p-838q