CVE-2026-27968

EUVD-2026-8820

26.02.2026, 02:16

Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
packistryphp	packistry	𝑥 < 0.13.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283

https://github.com/packistry/packistry/pull/276

https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw