Platform
php
Component
packistry/packistry
Fixed in
0.13.1
CVE-2026-27968 affects Packistry, a self-hosted Composer repository, prior to version 0.13.0. This vulnerability allows an attacker with an expired deploy token to access repository endpoints, potentially compromising package metadata and downloads. The issue stems from a missing expiration check in the authorization process. Version 0.13.0 resolves this by explicitly verifying token expiration.
An attacker possessing an expired deploy token with the correct ability could leverage this vulnerability to gain unauthorized access to Packistry's repository APIs. This could allow them to download malicious packages, modify package metadata, or even inject their own packages into the repository, potentially impacting downstream applications that rely on Packistry for PHP package management. The blast radius extends to any applications or systems that consume packages from a compromised Packistry instance. While the token is expired, the attacker still has access, which is a significant risk.
This vulnerability was disclosed on 2026-02-26. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept exploits are not currently available, but the vulnerability's nature makes it a potential target for automated scanning and exploitation. The CVSS score of 4.3 (Medium) reflects the potential impact and relatively low complexity of exploitation.
Exploit Status
EPSS
0.03% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Packistry to version 0.13.0 or later, which includes the necessary expiration check. If upgrading is not immediately feasible, consider implementing stricter token management policies, such as shorter token expiration times and regular token rotation. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to detect and block requests from potentially expired tokens could provide an additional layer of defense. Regularly review and audit deploy token usage to identify and revoke any suspicious or unused tokens.
Update Packistry to version 0.13.0 or higher. This version corrects the vulnerability that allows unauthorized access via expired access tokens. The update ensures that expired tokens are correctly rejected.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27968 describes a vulnerability in Packistry where expired deploy tokens could still access repository APIs before version 0.13.0, potentially allowing unauthorized access to package metadata and downloads.
You are affected if you are using Packistry versions prior to 0.13.0. Check your Packistry version and upgrade immediately if you are vulnerable.
Upgrade Packistry to version 0.13.0 or later. This version includes an explicit expiration check for deploy tokens, preventing unauthorized access.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target. Proactive mitigation is recommended.
Refer to the Packistry project's security advisories and release notes on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.