CVE-2026-40176
Published: 15 April 2026
Summary
CVE-2026-40176 is a high-severity Improper Input Validation (CWE-20) vulnerability in Getcomposer Composer. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40176 is a command injection vulnerability in Composer, a dependency manager for PHP. The issue resides in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. It affects Composer versions 1.0 through 2.2.26 and 2.3 through 2.9.5. The vulnerability allows arbitrary command injection even if Perforce is not installed on the system.
An attacker can exploit this by crafting a malicious composer.json file that declares a Perforce VCS repository with specially crafted connection parameters, tricking a user into running Composer commands on the untrusted project. Exploitation requires local access to run the command (AV:L), no privileges (PR:N), and user interaction such as executing Composer (UI:R). Successful exploitation leads to arbitrary command execution in the context of the user running Composer. Notably, VCS repositories are only loaded from the root composer.json or the composer config directory, preventing exploitation through composer.json files of dependency packages.
The Composer security advisory (GHSA-wg36-wvj6-r67p) and release notes for versions 2.2.27 (2.2 LTS) and 2.9.6 (mainline) detail the fix, recommending immediate upgrades to patched versions to mitigate the issue. The vulnerability is rated 7.8 on the CVSS v3.1 scale (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-20 (Improper Input Validation) and CWE-78 (OS Command Injection).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23118
Vulnerability details
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping.…
more
An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the Composer client-side dependency manager tool allows arbitrary OS command execution when processing a malicious composer.json file with crafted Perforce parameters, directly enabling exploitation of client applications for code execution (T1203) and execution of injected commands via Unix shell (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through patching Composer to versions 2.2.27 or 2.9.6 directly eliminates the command injection vulnerability in Perforce::generateP4Command().
Requires validation of untrusted inputs like Perforce connection parameters (port, user, client) from composer.json to block command injection via improper interpolation.
Restricts Composer to least functionality by disabling unused Perforce VCS repository support, preventing exploitation through malicious composer.json declarations.