Plataforma
php
Componente
packistry/packistry
Corrigido em
0.13.1
CVE-2026-27968 affects Packistry, a self-hosted Composer repository, prior to version 0.13.0. This vulnerability allows an attacker with an expired deploy token to access repository endpoints, potentially compromising package metadata and downloads. The issue stems from a missing expiration check in the authorization process. Version 0.13.0 resolves this by explicitly verifying token expiration.
An attacker possessing an expired deploy token with the correct ability could leverage this vulnerability to gain unauthorized access to Packistry's repository APIs. This could allow them to download malicious packages, modify package metadata, or even inject their own packages into the repository, potentially impacting downstream applications that rely on Packistry for PHP package management. The blast radius extends to any applications or systems that consume packages from a compromised Packistry instance. While the token is expired, the attacker still has access, which is a significant risk.
This vulnerability was disclosed on 2026-02-26. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept exploits are not currently available, but the vulnerability's nature makes it a potential target for automated scanning and exploitation. The CVSS score of 4.3 (Medium) reflects the potential impact and relatively low complexity of exploitation.
Organizations using Packistry for self-hosting PHP packages, particularly those with legacy deployment pipelines or less stringent token management practices, are at risk. Shared hosting environments where multiple users share a Packistry instance are also particularly vulnerable, as a compromised token from one user could potentially impact others.
• php: Examine Packistry logs for requests originating from tokens with unusually long durations or timestamps that suggest they may be expired.
grep 'token_expiration' /path/to/packistry/logs/access.logdisclosure
Status do Exploit
EPSS
0.03% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade Packistry to version 0.13.0 or later, which includes the necessary expiration check. If upgrading is not immediately feasible, consider implementing stricter token management policies, such as shorter token expiration times and regular token rotation. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to detect and block requests from potentially expired tokens could provide an additional layer of defense. Regularly review and audit deploy token usage to identify and revoke any suspicious or unused tokens.
Atualize Packistry para a versão 0.13.0 ou superior. Esta versão corrige a vulnerabilidade que permite o acesso não autorizado por meio de tokens de acesso expirados. A atualização garante que os tokens expirados sejam rejeitados corretamente.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27968 describes a vulnerability in Packistry where expired deploy tokens could still access repository APIs before version 0.13.0, potentially allowing unauthorized access to package metadata and downloads.
You are affected if you are using Packistry versions prior to 0.13.0. Check your Packistry version and upgrade immediately if you are vulnerable.
Upgrade Packistry to version 0.13.0 or later. This version includes an explicit expiration check for deploy tokens, preventing unauthorized access.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target. Proactive mitigation is recommended.
Refer to the Packistry project's security advisories and release notes on their official website or GitHub repository for the latest information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.