Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using the ghs<id>_<base64url-JWT> format can contain -, fail validation, and be disclosed to stderr or CI logs. This issue is fixed in versions 1.10.28, 2.2.28, and 2.9.8.
{
"cwe_ids": [
"CWE-200"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45793.json",
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "1.0"
},
{
"fixed": "1.10.28"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.28"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.9.8"
}
],
"source": [
"AFFECTED_FIELD",
"REFERENCES"
]
}