The PHP dependency management ecosystem received an urgent security wake-up call this week as the Composer team disclosed two critical command injection vulnerabilities, CVE-2026-40261 and CVE-2026-40176, both rooted in the tool’s Perforce Version Control System (VCS) driver.
Developers using any Composer version between 2.0 and 2.9.5 are potentially at risk, and an immediate update is strongly recommended.
Both vulnerabilities were independently discovered and responsibly disclosed by security researchers. CVE-2026-40176 was reported by saku0512, while Koda Reef reported CVE-2026-40261.
Both carry a CVSS v3 severity score of High and are rooted in the same underlying problem: insufficient escaping of user-controlled input when Composer constructs shell commands internally.
CVE-2026-40176 :
This vulnerability exists in the Perforce::generateP4Command() method. When Composer builds shell commands for Perforce operations, it directly interpolates connection parameters, specifically the port, user, and client values without sanitizing them for shell metacharacters.
An attacker who controls a composer.json file can craft malicious values in the Perforce VCS repository definition that, when processed by Composer, execute arbitrary system commands in the context of the user running Composer. Critically, Composer will attempt to execute these injected commands even if Perforce is not installed on the target system.
The attack surface is limited, however: Composer only loads VCS repositories from the root composer.json file in the directory where commands are executed, or from the global Composer config directory (e.g., ~/.config/composer/composer.json). It cannot be triggered through composer.json files in installed dependency packages.
The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting a local attack vector requiring user interaction but no privileges. Confidentiality, integrity, and availability are all rated High.
CVE-2026-40261:
This vulnerability is broader in scope and more dangerous in practice. It resides in the Perforce::syncCodeBase() method, which appends a $sourceReference parameter directly to a shell command without proper escaping.
Any shell metacharacters embedded in the source reference will be interpreted by the operating system, enabling arbitrary command execution.
Additionally, researchers found that the same improper escaping flaw in generateP4Command() discovered as part of CVE-2026-40176 also affects the source url field processed by this method.
What makes CVE-2026-40261 especially alarming is its network-level attack vector (AV:N). The source reference and source url values are part of the package metadata served by Composer repositories.
This means any compromised or malicious Composer repository can serve packages with crafted metadata to trigger command injection on developer machines, without Perforce needing to be installed or the developer explicitly using Perforce in their project.
This attack is exploitable when installing or updating packages from source, which is the default behavior. dev-prefixed package versions.
Who Is Affected?
All users running Composer versions 2.0 through 2.2.26 and 2.3 through 2.9.5 are potentially vulnerable. The vulnerabilities are patched in:
- Composer 2.9.6 (mainline)
- Composer 2.2.27 (2.2 LTS)
You do not need to use Perforce in your projects to be at risk from CVE-2026-40261. Simply running composer install or composer update on a dev-version dependency sourced from a malicious repository is enough to trigger it.
How to Fix It: Update Composer Now
Run the following command immediately to update your Composer installation:
composer.phar self-updateThis will pull the latest stable release (2.9.6) or, if you’re on the LTS track, update to 2.2.27. Verify the update with composer --version.
Workarounds If You Cannot Update Immediately
If an immediate update is not possible, apply these mitigations based on which CVE poses the greatest risk in your environment:
For CVE-2026-40261: Avoid installing dependencies from source by using the --prefer-dist flag or setting preferred-install: dist in your Composer configuration. Restrict your repositories to trusted sources only.
For CVE-2026-40176: Carefully inspect any composer.json file before running Composer commands on it. Verify that all Perforce-related fields.s port, user, client contain only expected, legitimate values. Never run Composer on projects obtained from unknown or untrusted sources.
The Composer security team proactively scanned Packagist.org and found no evidence of exploitation attempts using malicious Perforce metadata. As a preventive measure, publication of Perforce source metadata on Packagist.org has been turned off since April 10th, 2026.
Similarly, a scan of Private Packagist found no exploitation attempts. The Perforce VCS driver has been disabled on Private Packagist since April 10th, 2026. Private Packagist Self-Hosted customers should watch for an upcoming release announcement that includes verification steps to ensure no malicious metadata is present in their installation.
Why This Matters for PHP Developers
Command injection vulnerabilities in package managers are particularly dangerous because they sit at the intersection of developer trust and automated tooling. Developers routinely run composer install as part of CI/CD pipelines, onboarding scripts, and local workflows, often without scrutinizing every repository or package source.
A supply chain attack exploiting CVE-2026-40261 requires minimal effort from an attacker and can silently compromise developer machines, CI runners, and the production build environment.
The Composer team acted responsibly by coordinating disclosure, issuing fixes simultaneously across both supported release branches, and proactively turning off the vulnerable feature on hosted package platforms before public announcement.
Frequently Asked Questions
Q1: Do I need Perforce installed to be vulnerable? No Composer attempts to execute the constructed shell commands regardless of whether Perforce is installed on your system.
Q2: Can these vulnerabilities be triggered through a dependency’s composer.json? CVE-2026-40176 cannot be exploited, but CVE-2026-40261 can be exploited through malicious package metadata served by any compromised or untrusted Composer repository.
Q3: What is the fastest way to patch these vulnerabilities? Run composer.phar self-update immediately to upgrade to version 2.9.6 (mainline) or 2.2.27 (LTS).
Q4: Has either vulnerability been actively exploited in the wild? As of the disclosure date, the Composer team has confirmed no known exploitation of either CVE before publication.
Site: thecybrdef.com
About the Author
