PHP Composer GitHub Actions token disclosure in error messages (supply chain risk)

cve · CVE-2026-45793 SINGLE-SOURCE

Coverage timeline

first 2026-05-15 → last 2026-05-15

Briefs

1 distinct

Sources cited

1 hosts

Sections touched

active_threats

Co-occurring entities

no co-occurrence

Story timeline

2026-05-15CTI Daily Brief — 2026-05-15
active_threatsFirst coverage. Composer 2.x leaks GITHUB_TOKEN in error output during CI. Fixed in 2.9.8/2.2.28. Supply chain risk; same token-leakage class as TeamPCP attacks.

Where this entity is cited

active_threats1

Source distribution

blog.packagist.com1 (100%)

External references

NVD · cve.org · CISA KEV

All cited sources (1)

blog.packagist.comprimaryinlinePackagist blog, 2026-05-13https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/
cited in 2026-05-15

Items in briefs about PHP Composer GitHub Actions token disclosure in error messages (supply chain risk)

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.