CVE-2026-45793

Source
https://cve.org/CVERecord?id=CVE-2026-45793
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45793.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45793
Aliases
Downstream
Published
2026-07-15T16:22:19.418Z
Modified
2026-07-17T03:46:45.768814373Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs
Details

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using the ghs<id>_<base64url-JWT> format can contain -, fail validation, and be disclosed to stderr or CI logs. This issue is fixed in versions 1.10.28, 2.2.28, and 2.9.8.

Database specific
{
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45793.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/composer/composer

Affected ranges

Type
GIT
Repo
https://github.com/composer/composer
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.0"
        },
        {
            "fixed": "1.10.28"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.2.28"
        },
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.9.8"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.4.0-RC1
2.4.1
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.9.0
2.9.0-RC1
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45793.json"