{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45793/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["github.com"],"_cs_severities":["medium"],"_cs_tags":["github","actions","composer","token-leak","cve-2026-45793"],"_cs_type":"threat","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA vulnerability exists in Composer that leads to the disclosure of GitHub OAuth tokens, including the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e in GitHub Actions logs. This occurs when tokens do not match Composer\u0026rsquo;s expected format, specifically those containing hyphens introduced in GitHub\u0026rsquo;s new token format (\u003ccode\u003eghs_\u0026lt;id\u0026gt;_\u0026lt;base64url-JWT\u0026gt;\u003c/code\u003e). Widely-used actions often auto-register the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e into Composer\u0026rsquo;s global \u003ccode\u003eauth.json\u003c/code\u003e, triggering the leak without specific user configuration. While GitHub Actions tokens expire rapidly (within 6 hours on GitHub-hosted runners and 24 hours on self-hosted runners) and are scoped to the repository, the exposure poses a risk if the token is captured before expiration. This issue is tracked as CVE-2026-45793 and affects Composer versions 2.3.0-2.9.7, 2.0.0-2.2.27 and 1.0-1.10.27.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA GitHub Actions workflow is triggered.\u003c/li\u003e\n\u003cli\u003eThe workflow utilizes an Action (e.g., \u003ccode\u003eshivammathur/setup-php\u003c/code\u003e) that automatically registers the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e into Composer\u0026rsquo;s global \u003ccode\u003eauth.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eComposer attempts to validate the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e using a regular expression (\u003ccode\u003e^[.A-Za-z0-9_]+$\u003c/code\u003e) in \u003ccode\u003eComposer\\IO\\BaseIO::loadConfiguration()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe validation fails because the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e now contains a hyphen (\u003ccode\u003e-\u003c/code\u003e) due to the new GitHub token format.\u003c/li\u003e\n\u003cli\u003eComposer throws an \u003ccode\u003eUnexpectedValueException\u003c/code\u003e containing the full, unmasked \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e in the exception message.\u003c/li\u003e\n\u003cli\u003eSymfony Console, used by Composer, renders the exception message to stderr.\u003c/li\u003e\n\u003cli\u003eThe stderr output, including the plaintext \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, is captured in GitHub Actions logs.\u003c/li\u003e\n\u003cli\u003eAn attacker with access to the logs can then steal the leaked token. The attacker could use the leaked credentials to make unauthorized API calls to Github on behalf of the workflow, with scopes limited to the respective repository.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability results in the exposure of sensitive \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e values in GitHub Actions logs, which could allow unauthorized access to repository resources. Though tokens expire quickly and are repository-scoped, successful exploitation could lead to code modification, data exfiltration, or other malicious activities within the compromised repository before the token expires.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GITHUB_TOKEN Leak in Composer Logs\u0026rdquo; to your SIEM to identify potential token leaks within GitHub Actions logs.\u003c/li\u003e\n\u003cli\u003eUpgrade to Composer version 2.9.8, 2.2.28 or 1.10.28 or later to address the vulnerability (CVE-2026-45793).\u003c/li\u003e\n\u003cli\u003eMonitor GitHub Actions logs for unexpected error messages related to Composer token validation failures.\u003c/li\u003e\n\u003cli\u003eRotate \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e secrets if a leak is suspected to invalidate potentially compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T16:18:49Z","date_published":"2026-05-19T16:18:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-github-token-disclosure/","summary":"Composer leaks GitHub OAuth tokens in GitHub Actions logs if they do not match the expected format due to a validation regex, leading to potential unauthorized access.","title":"GitHub Actions GITHUB_TOKEN Disclosure via Composer Validation Failure","url":"https://feed.craftedsignal.io/briefs/2026-05-github-token-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45793","version":"https://jsonfeed.org/version/1.1"}