Platform
php
Component
composer/composer
Fixed in
2.3.1
1.0.1
2.9.6
CVE-2026-40176 is a Command Injection vulnerability discovered in Composer, a dependency management tool for PHP. This flaw arises from insufficient escaping of user-supplied Perforce connection parameters within the Perforce::generateP4Command() method. Exploitation allows an attacker to execute arbitrary commands on the system running Composer, even if Perforce itself isn't installed, posing a significant security risk. Affected versions include 1.0.0–>= 2.3, < 2.9.6, with a fix available in version 2.9.6.
The core of the vulnerability lies in Composer's handling of Perforce VCS repository configurations. An attacker can craft a malicious composer.json file, specifically targeting the Perforce repository settings (port, user, client). By injecting arbitrary commands into these parameters, the attacker can manipulate the shell commands generated by Perforce::generateP4Command(). When Composer processes this malicious composer.json file, it will execute the attacker-controlled commands in the context of the user running Composer. This effectively grants the attacker remote code execution capabilities. The blast radius is significant, as the attacker can potentially compromise the entire system running Composer, depending on the user's privileges. The fact that Perforce doesn't need to be installed makes this attack even more insidious, as it bypasses a common security assumption.
CVE-2026-40176 was published on 2026-04-15. Its severity is rated as HIGH with a CVSS score of 7.8. Currently, there are no publicly known active campaigns exploiting this vulnerability. There are no entries on KEV or EPSS at this time. While no public Proof-of-Concept (PoC) exploits have been released, the vulnerability's nature and ease of exploitation suggest a high likelihood of such exploits emerging. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40176 is to upgrade Composer to version 2.9.6 or later, which includes the necessary escaping fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. Carefully review all composer.json files, particularly those related to Perforce VCS repositories, for any suspicious or unexpected content. Implement strict input validation on any user-provided data used in Composer configurations. Consider using a Web Application Firewall (WAF) or proxy to filter out potentially malicious commands within the composer.json file. Monitor Composer execution logs for any unusual activity or command executions. After upgrading to 2.9.6, confirm the fix by attempting to reproduce the vulnerability with a known malicious composer.json file; the command injection should be prevented.
Update Composer to version 2.2.27 or higher (2.2 LTS) or to version 2.9.6 (mainline) to mitigate the command injection vulnerability. Avoid using Composer on projects with untrusted composer.json files.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Command Injection vulnerability in Composer, a PHP dependency manager, allowing attackers to execute arbitrary commands via malicious composer.json files.
You are affected if you are using Composer versions 1.0.0–>= 2.3, < 2.9.6. Check your Composer version and upgrade if necessary.
Upgrade Composer to version 2.9.6 or later. If immediate upgrade isn't possible, review composer.json files and consider WAF rules.
Currently, there are no known active campaigns exploiting this vulnerability, but the potential for exploitation is high.
Refer to the official Composer security advisory and the NVD entry for CVE-2026-40176 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.