Inclusion of Sensitive Information in Log Files in composer - #VU136611

 

Inclusion of Sensitive Information in Log Files in composer - #VU136611

Published: July 1, 2026


Vulnerability identifier: #VU136611
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: getcomposer.org
Affected software:
composer

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log files in Composer debug output when handling repository or package URLs with credentials embedded in the username field. A local user can run Composer with debug verbosity and cause an embedded access token to be written to verbose logs to disclose sensitive information.

Exposure occurs only when a credential is embedded in a handled URL, placed in the username slot, and the debug output is retained or shared where others can read it.


Remediation

Install security update from vendor's website.

Sources