Cyber Resilience

CVE-2026-40261

HighRCEUpdated

Published: 15 April 2026

Published
15 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0126 65.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40261 is a high-severity Improper Input Validation (CWE-20) vulnerability in Getcomposer Composer. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Composer, a dependency manager for PHP, in versions 1.0 through 2.2.26 and 2.3 through 2.9.5, suffers from a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping. It also affects the Perforce::generateP4Command() method, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source URL field without proper escaping, as related to GHSA-wg36-wvj6-r67p / CVE-2026-40176. These flaws enable arbitrary command injection through crafted source reference or source URL values containing shell metacharacters, even if Perforce is not installed.

Attackers can exploit this vulnerability by compromising or controlling a Composer repository to serve package metadata that declares Perforce as the source type with malicious values. Exploitation is possible when developers install or update dependencies from source, including the default behavior for dev-prefixed versions. No privileges are required (PR:N), but user interaction is needed (UI:R), such as tricking a developer into using the malicious repository, potentially resulting in high-impact arbitrary command execution affecting confidentiality, integrity, and availability.

The issue is fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). As a workaround, developers unable to update can use --prefer-dist or the preferred-install: dist config setting to avoid source-based installations and should only use trusted Composer repositories. Further details are in the security advisory at https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q and release notes at https://github.com/composer/composer/releases/tag/2.9.6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the…

more

Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

The command injection vulnerability in Composer enables attackers to compromise or control a repository serving malicious package metadata (with Perforce source type and unsanitized values), directly facilitating supply chain compromise of software dependencies and development tools to achieve arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40176Same product: Getcomposer Composer
CVE-2026-45391Shared CWE-20, CWE-78
CVE-2025-14213Shared CWE-20, CWE-78
CVE-2026-24893Shared CWE-20, CWE-78
CVE-2024-55020Shared CWE-20, CWE-78
CVE-2024-56132Shared CWE-20, CWE-78
CVE-2025-34161Shared CWE-20, CWE-78
CVE-2026-25143Shared CWE-78
CVE-2025-8876Shared CWE-20, CWE-78
CVE-2026-21893Shared CWE-20, CWE-78

Affected Assets

getcomposer
composer
1.0.0 — 2.2.26 · 2.3.0 — 2.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the command injection vulnerability by updating Composer to fixed versions 2.2.27 or 2.9.6.

prevent

Enforces secure Composer configuration settings such as preferred-install: dist to avoid source-based installations that trigger the vulnerable Perforce code paths.

prevent

Mandates validation and sanitization of untrusted inputs like package metadata source references and URLs to prevent shell command injection.

References