Platform
php
Component
packistry/packistry
Opgelost in
0.13.1
CVE-2026-27968 affects Packistry, a self-hosted Composer repository, prior to version 0.13.0. This vulnerability allows an attacker with an expired deploy token to access repository endpoints, potentially compromising package metadata and downloads. The issue stems from a missing expiration check in the authorization process. Version 0.13.0 resolves this by explicitly verifying token expiration.
An attacker possessing an expired deploy token with the correct ability could leverage this vulnerability to gain unauthorized access to Packistry's repository APIs. This could allow them to download malicious packages, modify package metadata, or even inject their own packages into the repository, potentially impacting downstream applications that rely on Packistry for PHP package management. The blast radius extends to any applications or systems that consume packages from a compromised Packistry instance. While the token is expired, the attacker still has access, which is a significant risk.
This vulnerability was disclosed on 2026-02-26. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept exploits are not currently available, but the vulnerability's nature makes it a potential target for automated scanning and exploitation. The CVSS score of 4.3 (Medium) reflects the potential impact and relatively low complexity of exploitation.
Organizations using Packistry for self-hosting PHP packages, particularly those with legacy deployment pipelines or less stringent token management practices, are at risk. Shared hosting environments where multiple users share a Packistry instance are also particularly vulnerable, as a compromised token from one user could potentially impact others.
• php: Examine Packistry logs for requests originating from tokens with unusually long durations or timestamps that suggest they may be expired.
grep 'token_expiration' /path/to/packistry/logs/access.logdisclosure
Exploit Status
EPSS
0.03% (6% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade Packistry to version 0.13.0 or later, which includes the necessary expiration check. If upgrading is not immediately feasible, consider implementing stricter token management policies, such as shorter token expiration times and regular token rotation. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to detect and block requests from potentially expired tokens could provide an additional layer of defense. Regularly review and audit deploy token usage to identify and revoke any suspicious or unused tokens.
Actualiseer Packistry naar versie 0.13.0 of hoger. Deze versie corrigeert de kwetsbaarheid die ongeautoriseerde toegang via verlopen access tokens mogelijk maakt. De update zorgt ervoor dat verlopen tokens correct worden afgewezen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-27968 describes a vulnerability in Packistry where expired deploy tokens could still access repository APIs before version 0.13.0, potentially allowing unauthorized access to package metadata and downloads.
You are affected if you are using Packistry versions prior to 0.13.0. Check your Packistry version and upgrade immediately if you are vulnerable.
Upgrade Packistry to version 0.13.0 or later. This version includes an explicit expiration check for deploy tokens, preventing unauthorized access.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target. Proactive mitigation is recommended.
Refer to the Packistry project's security advisories and release notes on their official website or GitHub repository for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.