A Composer vulnerability (CVE-2026-45793) can leak the full contents of GITHUB_TOKEN or GitHub App installation tokens into your GitHub Actions logs. It’s triggered by GitHub’s new installation token format (which contains a -) failing Composer’s validation regex — the rejected token then gets interpolated verbatim into the error message written to stderr.
If you run Composer in GitHub Actions (CI for Bedrock, Sage, plugins, etc.), update to one of:
- Composer 2.9.8 (mainline)
- Composer 2.2.28 (2.2 LTS)
- Composer 1.10.28 (legacy — upgrade to 2.x if you can)
If your workflow uses shivammathur/setup-php referenced by a moving tag (e.g. @v2), you’re already covered — the action was updated to install a fixed Composer version. You’re only still exposed if you’ve pinned setup-php to a specific commit SHA from before the fix, or pinned the composer tool itself to a vulnerable version via the action’s tools: input.
GitHub temporarily rolled back the new token format, but plans to resume the rollout on Monday, May 18, 2026 (after 2 PM UTC) — so get patched before then. It’s also worth reviewing recent Actions logs for failed Composer runs that may have already printed a token, and deleting those logs if so.
More detail:
- Packagist advisory: Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages
- Socket writeup: https://socket.dev/blog/packagist-urges-immediate-composer-update