CVE-2026-45793 — PHP Composer: GitHub Actions CI token disclosure in error messages [SINGLE-SOURCE]

CVE-2026-45793 is a token disclosure in PHP Composer (the PHP package manager) patched and disclosed by the Packagist team on 2026-05-13 (Packagist blog, 2026-05-13). When Composer encounters certain error conditions during package resolution in a GitHub Actions CI/CD workflow, it emits the configured GitHub authentication token — GITHUB_TOKEN or a personal access token — into its error output and debug log stream. Any CI/CD pipeline that captures and stores build logs (SaaS CI/CD platforms, self-hosted log aggregation, artifact stores, or public build logs on open-source repositories) may inadvertently persist these tokens. A GITHUB_TOKEN scoped to the repository's default permissions allows write access to repository code, workflow files, and packages; an attacker who gains access to build logs via SSRF, a compromised CI SaaS integration, or inadvertent public log exposure can extract and abuse the token before it expires. The broader risk context: this bug class (credential leakage via error path logging) echoes the credential-leakage pattern seen in supply-chain attacks such as Mini Shai-Hulud; Composer-based repositories using GitHub Actions are now an independently confirmed leakage path for CI tokens. No in-the-wild exploitation reported. Fixed: Composer 2.9.8, 2.2.28, and 1.10.28. Action: upgrade Composer in all CI/CD environments immediately; rotate any GitHub tokens that may have appeared in prior Composer error output; audit build log retention policies.