CVE-2026-40261
Published: 15 April 2026
Summary
CVE-2026-40261 is a high-severity Improper Input Validation (CWE-20) vulnerability in Getcomposer Composer. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
Composer, a dependency manager for PHP, in versions 1.0 through 2.2.26 and 2.3 through 2.9.5, suffers from a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping. It also affects the Perforce::generateP4Command() method, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source URL field without proper escaping, as related to GHSA-wg36-wvj6-r67p / CVE-2026-40176. These flaws enable arbitrary command injection through crafted source reference or source URL values containing shell metacharacters, even if Perforce is not installed.
Attackers can exploit this vulnerability by compromising or controlling a Composer repository to serve package metadata that declares Perforce as the source type with malicious values. Exploitation is possible when developers install or update dependencies from source, including the default behavior for dev-prefixed versions. No privileges are required (PR:N), but user interaction is needed (UI:R), such as tricking a developer into using the malicious repository, potentially resulting in high-impact arbitrary command execution affecting confidentiality, integrity, and availability.
The issue is fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). As a workaround, developers unable to update can use --prefer-dist or the preferred-install: dist config setting to avoid source-based installations and should only use trusted Composer repositories. Further details are in the security advisory at https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q and release notes at https://github.com/composer/composer/releases/tag/2.9.6.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23119
Vulnerability details
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the…
more
Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in Composer enables attackers to compromise or control a repository serving malicious package metadata (with Perforce source type and unsanitized values), directly facilitating supply chain compromise of software dependencies and development tools to achieve arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the command injection vulnerability by updating Composer to fixed versions 2.2.27 or 2.9.6.
Enforces secure Composer configuration settings such as preferred-install: dist to avoid source-based installations that trigger the vulnerable Perforce code paths.
Mandates validation and sanitization of untrusted inputs like package metadata source references and URLs to prevent shell command injection.