EXECUTIVE SUMMARY:
CVE-2026-45793 with a CVSS score of 7.5 is a high severity vulnerability in Composer that inadvertently leaks sensitive GitHub authentication tokens into public and private CI/CD logs. The vulnerability affects Composer versions that are not updated to the latest versions, specifically impacting those running Composer commands in GitHub Actions environments. The issue arises from a recent change in GitHub's infrastructure, where GitHub introduced a new structured format for GITHUB_TOKENs and GitHub App installation tokens that includes a hyphen (-), which was not anticipated by Composer's internal validation logic established in 2021. As a result, when an error occurs due to an invalid token, the full token contents are exposed in the stderr, which can be captured by many CI/CD environments, allowing anyone with log access to view the sensitive secrets. An attacker can exploit this vulnerability by accessing log files where Composer commands are run, especially in self-hosted runners where leaked tokens can remain valid for up to 24 hours, and use the exposed tokens to gain unauthorized access to affected repositories, potentially leading to credential theft and business disruption. The business impact of this vulnerability is significant, as it puts thousands of repositories at risk, and the consequences of exploitation can be severe, especially if the leaked tokens are used to gain unauthorized access to sensitive data or systems.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45793 with a CVSS score of 7.5 is a high severity vulnerability in Composer that inadvertently leaks sensitive GitHub authentication tokens into public and private CI/CD logs. The vulnerability affects Composer versions that are not updated to the latest versions, specifically impacting those running Composer commands in GitHub Actions environments. The issue arises from a recent change in GitHub's infrastructure, where GitHub introduced a new structured format for GITHUB_TOKENs and GitHub App installation tokens that includes a hyphen (-), which was not anticipated by Composer's internal validation logic established in 2021. As a result, when an error occurs due to an invalid token, the full token contents are exposed in the stderr, which can be captured by many CI/CD environments, allowing anyone with log access to view the sensitive secrets. An attacker can exploit this vulnerability by accessing log files where Composer commands are run, especially in self-hosted runners where leaked tokens can remain valid for up to 24 hours, and use the exposed tokens to gain unauthorized access to affected repositories, potentially leading to credential theft and business disruption. The business impact of this vulnerability is significant, as it puts thousands of repositories at risk, and the consequences of exploitation can be severe, especially if the leaked tokens are used to gain unauthorized access to sensitive data or systems.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Composer to version 2.9.8 or 2.2.28 (LTS).
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/composer-github-token-leak-vulnerability-cve-2026-45793/