Two critical errors in Composer open the door to command execution by Perforce

Composer, the most used package management tool in the PHP ecosystem, has published corrections for two serious security failures that, successfully exploited, would allow the execution of arbitrary commands on the machine where Composer is run. These problems are related to the Perforce controller as a version control system and affect several branches of Composer 2.x.

The two vulnerabilities were catalogued with CVE identifiers and high severity scores: CVE-2026-40176 (CVSS 7.8) and CVE-2026-40261 (CVSS 8.8). The technical details can be found in the NVD database: CVE-2026-40176 and CVE-2026-40261.

In simple terms, both vulnerabilities come from an insufficient validation and escape of data from the configuration of a Perforce repository declared in a composer.jsonfile. A malicious repository may include fields designed to inject special shell characters or sequences that Composer ends up running. The worrying thing is that, according to the maintainers, Composer can run those commands even if Perforce is not installed in the system, because the controller code processes the metadata and transforms it into calls that end up in the shell.

Which versions are affected and which contain the correction: the failures impact branches 2.0 and 2.3 in certain ranges. The corrections have been published in versions 2.2.27 and 2.9.6; if your Composer installation is below those limits, it should be updated as soon as possible. You can review the project and the notices in the official repository of Composer in GitHub: github.com / composer / composer.

If for some reason it is not possible to apply the update immediately, there are intermediate measures that reduce the risk. One of the most important is to manually inspect the composer.json files before running Composer in projects that do not come from reliable absolute sources: verify that there are no Perforce-related entries containing foreign values or special characters. In addition, the installation should be limited to repositories and confidence packages and the use of the option should be avoided unless it is sure of the source. --preferen-dist or the configuration prefix because these routes can expose manipulative external metadata.

Composer's officials have carried out a sweep at Packagist.org and, at the moment, have found no evidence that malicious actors have exploited these failures by publishing packages with manipulated Perforce metadata. However, as a preventive measure, the publication of Perforce-related metadata was disabled at Packagist.org from Friday, 10 April 2026. If you use Packagist you can check the platform at packagist.org.

If you administer corporate facilities or a self-hosted instance (Private Packagist), attention: teams indicated that a new delivery is expected for Packagist Self-Hosted customers to address and coordinate mitigation in controlled environments. Meanwhile, good safety practices - update, audit metadata and limit the use of unverified sources - are the most effective defenses.

This incident recalls that even the tools of trust, when processing external metadata, can become remote-run vectors if the input is not properly validated or escaped. If you manage PHP projects, the practical and urgent recommendation is to update Composer to the versions that correct both vulnerabilities and review the automated processes that you run Composer over third-party code.

For more information and monitoring, see the official entries and security notices of the Composer project and the national vulnerability database: getcomposer.org, advisories in GitHub and the tab of each EQO in the NVD mentioned above.