Cyber Resilience

CVE-2026-40176

High

Published: 15 April 2026

Published
15 April 2026
Modified
25 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40176 is a high-severity Improper Input Validation (CWE-20) vulnerability in Getcomposer Composer. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40176 is a command injection vulnerability in Composer, a dependency manager for PHP. The issue resides in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. It affects Composer versions 1.0 through 2.2.26 and 2.3 through 2.9.5. The vulnerability allows arbitrary command injection even if Perforce is not installed on the system.

An attacker can exploit this by crafting a malicious composer.json file that declares a Perforce VCS repository with specially crafted connection parameters, tricking a user into running Composer commands on the untrusted project. Exploitation requires local access to run the command (AV:L), no privileges (PR:N), and user interaction such as executing Composer (UI:R). Successful exploitation leads to arbitrary command execution in the context of the user running Composer. Notably, VCS repositories are only loaded from the root composer.json or the composer config directory, preventing exploitation through composer.json files of dependency packages.

The Composer security advisory (GHSA-wg36-wvj6-r67p) and release notes for versions 2.2.27 (2.2 LTS) and 2.9.6 (mainline) detail the fix, recommending immediate upgrades to patched versions to mitigate the issue. The vulnerability is rated 7.8 on the CVSS v3.1 scale (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-20 (Improper Input Validation) and CWE-78 (OS Command Injection).

EU & UK References

Vulnerability details

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping.…

more

An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The command injection vulnerability in the Composer client-side dependency manager tool allows arbitrary OS command execution when processing a malicious composer.json file with crafted Perforce parameters, directly enabling exploitation of client applications for code execution (T1203) and execution of injected commands via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40261Same product: Getcomposer Composer
CVE-2026-40032Shared CWE-78
CVE-2025-43253Shared CWE-20
CVE-2026-6849Shared CWE-78
CVE-2026-24844Shared CWE-78
CVE-2026-39862Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-33412Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-41015Shared CWE-78

Affected Assets

getcomposer
composer
1.0.0 — 2.2.26 · 2.3.0 — 2.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching Composer to versions 2.2.27 or 2.9.6 directly eliminates the command injection vulnerability in Perforce::generateP4Command().

prevent

Requires validation of untrusted inputs like Perforce connection parameters (port, user, client) from composer.json to block command injection via improper interpolation.

prevent

Restricts Composer to least functionality by disabling unused Perforce VCS repository support, preventing exploitation through malicious composer.json declarations.

References