Inclusion of Sensitive Information in Log Files in composer - #VU136611
Published: July 1, 2026
composer
Detailed vulnerability description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log files in Composer debug output when handling repository or package URLs with credentials embedded in the username field. A local user can run Composer with debug verbosity and cause an embedded access token to be written to verbose logs to disclose sensitive information.
Exposure occurs only when a credential is embedded in a handled URL, placed in the username slot, and the debug output is retained or shared where others can read it.