Composer fixes two command injection bugs that can hit even systems without Perforce installed

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

Composer has released security updates for two high-severity command injection vulnerabilities in its Perforce VCS driver. The project says developers should update to Composer 2.9.6 or 2.2.27 LTS immediately, and its official changelogs list both fixes under the April 14, 2026 releases.

The two flaws are tracked as CVE-2026-40261 and CVE-2026-40176. Both involve improper escaping in shell command construction, which can let attackers inject arbitrary commands in the context of the user running Composer. GitHub lists both advisories as High severity.

BEST SPRING 2026 DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

One detail makes this story more serious than it first looks. The Composer team says both bugs can be exploited even when Perforce is not installed and even when the user does not actively use Perforce, because Composer still attempts to execute the constructed command path.

What the two CVEs do

CVE-2026-40176 affects the Perforce::generateP4Command() method. According to Composer maintainer Nils Adermann, an attacker can inject arbitrary commands by controlling Perforce connection fields such as port, user, or client in a malicious composer.json repository definition.

That bug has an important limit. Composer says VCS repository definitions are only loaded from the root composer.json in the directory where the user runs Composer, or from the Composer config directory. In other words, this specific issue does not trigger through composer.json files that arrive as ordinary dependencies.

CVE-2026-40261 affects the Perforce::syncCodeBase() method. Composer says a crafted Perforce source reference, and in some cases the source URL, can inject arbitrary shell commands through malicious package metadata served by a Composer repository. That means the flaw can trigger during installs or updates from source, especially with --prefer-source or workflows that default to source installs for dev versions.

Why developers should move quickly

The Composer team says it has no evidence either flaw was exploited before public disclosure. That lowers the immediate panic level, but it does not reduce the need to patch, especially because Composer remains one of the most widely used dependency managers in PHP environments.

The project also scanned Packagist.org and Private Packagist and said it found no packages attempting to exploit the bugs. As a precaution, it disabled publication of Perforce source metadata on Packagist.org and disabled the Perforce VCS driver on Private Packagist starting April 10, 2026.

Since the advisory published, Composer has also moved forward to version 2.9.7 as the latest stable download. That means developers who run a standard self-update today may land on a version newer than 2.9.6, but the security floor remains 2.9.6 on the mainline branch and 2.2.27 on LTS.

Affected issues at a glance

CVEWhat it affectsHow exploitation happensMain risk
CVE-2026-40176Perforce::generateP4Command()Malicious Perforce repository fields in a root composer.jsonArbitrary command execution
CVE-2026-40261Perforce::syncCodeBase()Malicious source reference or URL in package metadata from a repositoryArbitrary command execution during source installs

What developers should do now

  • Update Composer immediately to at least 2.9.6 or 2.2.27 LTS.
  • Prefer distribution archives instead of source installs by using --prefer-dist or preferred-install: dist where possible.
  • Only use trusted Composer repositories, especially for source installs and dev dependencies.
  • Do not run Composer commands inside untrusted project directories without inspecting the root composer.json.
  • Watch for follow-up guidance if you use Private Packagist Self-Hosted, since Composer said a release with verification tooling would follow the advisory.

FAQ

What is the new Composer vulnerability?

It is actually a pair of Perforce-related command injection vulnerabilities, CVE-2026-40261 and CVE-2026-40176, fixed in Composer 2.9.6 and 2.2.27 LTS.

Can attackers exploit this without Perforce installed?

Yes. Composer’s official advisory says both issues can be exploited even if Perforce is not installed and even if the user does not actively use the driver.

Does this affect normal dependency installs?

One of the bugs, CVE-2026-40176, requires a malicious root composer.json or Composer config file. The other, CVE-2026-40261, can arrive through malicious package metadata from a repository during source installs or updates.

Were these bugs exploited in the wild?

Composer says it has no evidence of exploitation before publication, and scans of Packagist.org and Private Packagist did not find known malicious packages abusing the bugs.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages