Critical PHP Composer Bug Enables Remote Command Injection

PHP Composer, the world’s most widely used dependency manager for PHP applications, has patched two high-severity command injection vulnerabilities, CVE-2026-40261 and CVE-2026-40176, that allow attackers to execute arbitrary operating system commands on developer machines, even when Perforce version control is not installed.

Developers should immediately upgrade to Composer 2.9.6 or 2.2.27 LTS to mitigate exposure across millions of PHP development environments worldwide.

A reported CVE-2026-40176, both of which were published through GitHub’s advisory system (GHSA-gqw4-4w2p-838q and GHSA-wg36-wvj6-r67p, respectively) on April 13, 2026.

The vulnerabilities reside in Composer’s Perforce VCS (Version Control System) driver and stem from improper input validation, a class of weakness cataloged under CWE-20 and CWE-78, which allows attacker-controlled strings to be injected directly into shell commands without sanitization.

PHP Composer Vulnerability

CVE-2026-40261 carries a CVSS v3.1 base score of 8.8 (High), while CVE-2026-40176 is rated 7.8 (High). Neither vulnerability had been exploited in the wild before public disclosure.

The root cause of CVE-2026-40261 lies in the Perforce::syncCodeBase() method. This method appends the $sourceReference parameter a value sourced directly from package metadata in a Composer repository to a shell command without any escaping or sanitization.

An attacker can embed shell metacharacters (e.g., ;, &&, |, $(...)) inside a crafted sourceReference value, causing the operating system to interpret those characters as command separators and execute arbitrary payloads.

CVE-2026-40176 compounds this attack surface through the Perforce::generateP4Command() method, which constructs shell commands by directly interpolating user-supplied Perforce connection parameters, specifically the port, user, and client fields extracted from the source URL in composer.json.

A malicious repository operator can manipulate these fields to smuggle arbitrary shell commands into Composer’s execution pipeline. A particularly alarming aspect of both vulnerabilities is that the injected commands can execute even if Perforce is not installed on the victim’s system.

Composer will attempt to run the constructed shell command regardless of whether the target binary exists, making the attack viable across virtually all PHP development environments.

Attack Vector and Scope

The attack is classified as a Network attack vector, with Low attack complexity and no privileges required, making it trivially exploitable by any malicious or compromised Composer repository operator. The full impact is rated High across all three pillars: Confidentiality, Integrity, and Availability, translating to a potential complete system compromise.

Affected versions include:

Composer >= 2.3 and < 2.9.6 (mainline branch)
Composer >= 1.0 and < 2.2.27 (LTS branch)

The exploitation scenario for CVE-2026-40261 is particularly broad. Since the malicious sourceReference is delivered through package metadata rather than the root composer.json, any package hosted on a compromised or malicious Composer repository can serve as the attack vehicle.

This is triggered by default during dev-prefixed version installs (--prefer-source), meaning standard developer workflows are directly in scope without any unusual command-line flags.

CVE-2026-40176 has a slightly narrower scope; it requires the attacker to influence the root composer.json or Composer configuration directly, such as when a developer clones and installs an untrusted open-source project.

Security Fixes in Composer 2.9.6

Beyond the two headline vulnerabilities, the 2.9.6 and 2.2.27 releases address a cluster of additional security issues that further harden the Composer toolchain:

Git credential exposure: Credentials were inadvertently left in git mirror .git/config files after failed clone or update operations, posing a credential theft risk
Insecure 3DES cipher usage: When ext-curl was absent, Composer fell back to weak 3DES ciphers for network communication
Unescaped user input in queryP4User: A related Perforce code path left shell commands vulnerable to injection through the P4User query function
Branch name hardening: Git, Hg, Perforce, and Fossil identifier validation was tightened to prevent branch names beginning with - from causing unexpected behavior

Patch and Remediation

Patched versions Composer 2.9.6 and Composer 2.2.27 LTS were released on April 14, 2026, and are immediately available via the self-update mechanism. Developers should run the following command without delay:

composer self-update

For teams unable to immediately update, Composer recommends the following interim mitigations:

Use --prefer-dist when installing packages, or set preferred-install: dist in your Composer configuration to avoid triggering source-based Perforce code paths
Only consume packages from trusted, verified Composer repositories and audit your composer.json for any unexpected VCS repository declarations
Audit CI/CD pipelines that run composer install or composer update on externally sourced packages to identify potential exposure windows

Composer is installed in virtually every modern PHP environment, powering frameworks like Laravel and Symfony, WordPress plugins, and enterprise PHP stacks worldwide.

Supply chain attacks targeting package managers have accelerated sharply. This vulnerability pattern mirrors prior incidents in npm, PyPI, and RubyGems, where a single compromised repository triggered mass remote code execution across developer fleets.

The fact that exploitation requires only a malicious repository entry and no Perforce installation means the barrier to threat actors operating supply chain campaigns is dramatically lowered.

Security teams managing PHP development environments should treat this as a critical supply chain risk requiring immediate patching rather than a scheduled maintenance update.