CVE-2026-45793
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
15/07/2026
Last modified:
15/07/2026
Description
Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUB_TOKEN values using the ghs__ format can contain -, fail validation, and be disclosed to stderr or CI logs. This issue is fixed in versions 1.10.28, 2.2.28, and 2.9.8.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/composer/composer/commit/3f5e7f9fbfa541137d6d1d5643ec3b718e9d5039
- https://github.com/composer/composer/commit/65e6390c49f1a11cd8b660d81822086db51fe2d1
- https://github.com/composer/composer/commit/e66c8fdb7ff5409bd2f358c5f194038e49e93714
- https://github.com/composer/composer/pull/12853
- https://github.com/composer/composer/pull/12855
- https://github.com/composer/composer/releases/tag/1.10.28
- https://github.com/composer/composer/releases/tag/2.2.28
- https://github.com/composer/composer/releases/tag/2.9.8
- https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2



