Composer has released version 2.9.6 and 2.2.27 LTS to address two command injection vulnerabilities in its Perforce VCS driver: CVE-2026-40261 and CVE-2026-40176.
Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver. CVE-2026-40261 was reported by Koda Reef and CVE-2026-40176 was reported by saku0512.
To the best of our knowledge, neither vulnerability has been exploited prior to publication.
The vulnerabilities are located in Composer's Perforce VCS driver and involve insufficient escaping of values used in shell command construction.
Vulnerability Details
The first issue, CVE-2026-40176, affects the Perforce::generateP4Command() method. It can be exploited if a malicious project includes attacker-controlled Perforce connection parameters such as the port, user, or client in a root composer.json file. This is limited to the root project configuration or Composer config, not dependency package composer.json files.
The second issue, CVE-2026-40261, impacts the Perforce::syncCodeBase() method. It allows command injection via a crafted source reference. This can occur when installing or updating dependencies from a malicious or compromised Composer repository, especially when using source installs like --prefer-source (default for dev versions). Notably, Perforce does not need to be installed for the injected command to be attempted.
Mitigation and Recommendations
The Composer team recommends updating immediately and both issues are fixed in Composer 2.9.6 (mainline) and 2.2.27 (2.2 LTS):
composer self-updateAdditional mitigation steps include:
- Prefer distribution installs:
--prefer-distorpreferred-install: dist - Avoid untrusted Composer repositories
- Review
composer.jsonbefore running Composer on unfamiliar projects
Packagist reports that scans of Packagist.org and Private Packagist found no evidence of exploitation. As a precaution:
- Perforce source metadata publication on Packagist.org was disabled on April 10, 2026
- The Perforce VCS driver has been disabled on Private Packagist since that date
At the time of disclosure, there is no indication that these vulnerabilities were exploited in the wild.
If you rely on Composer in local development, CI pipelines, or automated workflows, you should verify your version and upgrade to a patched release as soon as possible.
Read their full announcement for all the details.
