Main Vulnerability Database SB2026051396

SB2026051396 - Information disclosure in composer

Published: May 13, 2026

Security Bulletin ID SB2026051396

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in Composer\IO\BaseIO::loadConfiguration() when validating GitHub OAuth tokens. A remote attacker can supply a token containing invalid characters to disclose sensitive information.

The issue is triggered when the rejected token is interpolated into an exception message and written to stderr, which may be captured in GitHub Actions logs.

Remediation

Install update from vendor's website.

References

https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2