Composer GitHub Actions Token Disclosure Vulnerability (CVE-2026-45793)

Severity Assessment

• Exploitability: 7/10 — GitHub advisory metadata scores CVE-2026-45793 at CVSS 3.1 7.5 (HIGH), and triggering conditions are common in CI workflows using Composer with GitHub-issued tokens.

• Impact: 8/10 — Leaked credentials can expose repository-scoped automation tokens to anyone with log access during active workflow windows.

• Weaponization Risk: 7/10 — Preconditions are routine in modern PHP CI, and disclosure occurs through normal error rendering rather than a rare edge case.

• Patch Urgency: 9/10 — Packagist and Composer maintainers issued emergency updates and urged immediate upgrade to patched versions.

• Detection Coverage: 5/10 — Detection is possible via CI log inspection and token-use monitoring, but prevention depends on patching and permission hardening.

Summary

CVE-2026-45793 (GHSA-f9f8-rm49-7jv2) is a Composer vulnerability where GitHub OAuth-style tokens may be echoed in error output when token validation fails. The advisory describes a mismatch between Composer’s token character validation and newer GitHub token formats that may contain a hyphen.

According to the Composer/GitHub advisory, this can disclose GitHub Actions GITHUB_TOKEN values in workflow logs. Practical exposure depends on token scope, workflow context, and token lifetime, but the risk is material for CI environments where logs are broadly visible.

Composer maintainers released patched versions on 2026-05-13. Affected ranges include legacy and modern Composer branches, with fixes in 1.10.28, 2.2.28, and 2.9.8.

Exploit Chain

Stage 1: CI Token Registration

A workflow provides a GitHub token to Composer in automation context (for example via CI setup steps and auth configuration).

Stage 2: Validation Failure

Composer token validation rejects certain token formats and throws an exception that includes the rejected token string in the error message path described by the advisory.

Stage 3: Log Disclosure

The exception output is written to CI logs, potentially exposing raw token material to log readers before token expiration and revocation controls end token usability.

Detection Guidance

1. Review historical and active CI logs for accidental plaintext exposure of GitHub tokens tied to Composer authentication errors.
2. Upgrade Composer to patched releases (1.10.28, 2.2.28, 2.9.8 or newer) across all CI runners.
3. Restrict workflow token permissions to least privilege and reduce write scopes where not required.
4. Limit log visibility and retention for sensitive CI jobs that process repository credentials.
5. Rotate credentials and invalidate tokens if prior log exposure is suspected.

Indicators of Compromise

Primary sources do not provide a stable IOC set such as malware hashes, infrastructure indicators, or signature artifacts.

Operational indicators include:

• Composer errors in CI mentioning invalid GitHub token characters near authentication configuration failures.
• Workflow logs containing unredacted credential-like token strings.
• Unexpected repository actions that correlate with CI job execution windows and leaked token exposure.

Disclosure Timeline

2026-05-13 — Public disclosure and emergency patches

Packagist and Composer maintainers publish emergency patch guidance and announce fixed Composer releases (1.10.28, 2.2.28, 2.9.8).

2026-05-19 — Security advisory publication

GitHub advisory GHSA-f9f8-rm49-7jv2 (CVE-2026-45793) is published with vulnerability details, severity metadata, and affected version ranges.

Sources & References

• Packagist: Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages — Packagist, 2026-05-13
• National Vulnerability Database: CVE-2026-45793 Detail — National Vulnerability Database, 2026-05-19
• GitHub: GHSA-f9f8-rm49-7jv2 Advisory — GitHub, 2026-05-19
• Sansec: Composer vulnerability leaks GitHub tokens, threatens PHP supply chain — Sansec, 2026-05-13