Composer 2.9.6: Perforce Driver Command Injection Vulnerabilities (CVE-2026-40261, CVE-2026-40176)

Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver. CVE-2026-40261 was reported by Koda Reef and CVE-2026-40176 was reported by saku0512.

To the best of our knowledge, neither vulnerability has been exploited prior to publication.

Cause of the Vulnerabilities

Both vulnerabilities are located in Composer's Perforce VCS driver and involve insufficient escaping of values used in shell command construction.

CVE-2026-40176 affects the Perforce::generateP4Command() method, which constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository could inject arbitrary commands through these values, leading to command execution in the context of the user running Composer.

VCS repositories are only loaded from the root composer.json file located in the directory you execute Composer commands in and from the Composer config directory (e.g. ~/.config/composer/composer.json). This vulnerability cannot be exploited through composer.json files of packages installed as dependencies. You are only at risk if you run Composer commands on untrusted projects with attacker-supplied composer.json files.

CVE-2026-40261 affects the Perforce::syncCodeBase() method, which appended a source reference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Additionally Koda Reef noticed that the improper escaping in Perforce::generateP4Command() also resulting in the above CVE-2026-40176 affect the source url field too.

The source reference and url are provided as part of package metadata. Any Composer package repository can serve package metadata declaring Perforce as a source type with a malicious source reference or source url. This means the vulnerability can be exploited through any package served by a compromised or malicious Composer repository. An attack does not require Perforce to be installed on the client, as Composer will attempt to execute the constructed command regardless. This vulnerability is exploitable when installing or updating malicious dependencies from source (--prefer-source, default when installing dev-prefixed versions).

Patches

Both issues are fixed in Composer 2.9.6 (mainline) and 2.2.27 (2.2 LTS).

Workarounds

For CVE-2026-40261, avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories.

For CVE-2026-40176, carefully inspect composer.json files before running Composer commands on them. Verify that Perforce-related fields contain valid values, and only run Composer commands on projects from trusted sources.

Impact on Packagist.org

We scanned Packagist.org and did not find any packages having attempted to exploit this vulnerability with malicious Perforce information. As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026.

Impact on Private Packagist

We scanned Private Packagist and did not find any packages having attempted to exploit this vulnerability through malicious Perforce metadata. The Perforce VCS driver has been disabled on Private Packagist since Friday, April 10th, 2026.

For Private Packagist Self-Hosted customers, a new release will be available shortly after this announcement. Composer installations should be updated immediately regardless. The release announcement email and Private Packagist Self-Hosted changelog will detail how to run a command to verify that no metadata on your installation attempts to exploit this vulnerability.