{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27968", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-02-26T01:57:12.752Z", "dateUpdated": "2026-02-26T14:53:10.334Z"}, "containers": {"cna": {"title": "Packistry accepts expired access tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw"}, {"name": "https://github.com/packistry/packistry/pull/276", "tags": ["x_refsource_MISC"], "url": "https://github.com/packistry/packistry/pull/276"}, {"name": "https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283", "tags": ["x_refsource_MISC"], "url": "https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283"}], "affected": [{"vendor": "packistry", "product": "packistry", "versions": [{"version": "< 0.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:57:12.752Z"}, "descriptions": [{"lang": "en", "value": "Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected."}], "source": {"advisory": "GHSA-4r9m-jp53-vgmw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:52:57.211685Z", "id": "CVE-2026-27968", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:53:10.334Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27968", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:52:57.211685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:53:05.300Z"}}], "cna": {"title": "Packistry accepts expired access tokens", "source": {"advisory": "GHSA-4r9m-jp53-vgmw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "packistry", "product": "packistry", "versions": [{"status": "affected", "version": "< 0.13.0"}]}], "references": [{"url": "https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw", "name": "https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/packistry/packistry/pull/276", "name": "https://github.com/packistry/packistry/pull/276", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283", "name": "https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:57:12.752Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27968", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:53:10.334Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T01:57:12.752Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:packistryphp:packistry:*:*:*:*:*:*:*:*", "matchCriteriaId": "568FC6E5-5DBD-429D-8265-A6FDB4129456", "versionEndExcluding": "0.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected."}, {"lang": "es", "value": "Packistry es un repositorio Composer autoalojado dise\u00f1ado para gestionar la distribuci\u00f3n de paquetes PHP. Antes de la versi\u00f3n 0.13.0, RepositoryAwareController::authorize() verificaba la presencia y la capacidad del token, pero no aplicaba la caducidad del mismo. Como resultado, un token de despliegue caducado con la capacidad correcta a\u00fan pod\u00eda acceder a los puntos finales del repositorio (p. ej., las API de metadatos/descarga de Composer). La correcci\u00f3n en la versi\u00f3n 0.13.0 a\u00f1ade una verificaci\u00f3n de caducidad expl\u00edcita, y las pruebas ahora verifican los tokens de despliegue caducados para asegurar que sean rechazados."}], "id": "CVE-2026-27968", "lastModified": "2026-03-02T18:04:44.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:23.990", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/packistry/packistry/pull/276"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.13.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "packistry", "source": "cna", "vendor": "packistry"}, "product": "packistry", "vendor": "packistry"}], "analysis": {"en": {"generated_at": "2026-04-17T14:29:27.645707+00:00", "value": {"mitigation_remediation": ["Upgrade Packistry to version 0.13.0 or later where expiration checks are enforced.", "Rotate all existing deploy tokens and issue new ones with proper expiration settings.", "Validate that token expiration checks are effective by testing access with an intentionally expired token."], "summary": {"action": "Apply Patch", "impact": "Expired deploy tokens bypass authentication"}, "threat_synthesis": {"affected_systems": "The issue is present in all releases of Packistry prior to version 0.13.0. Any installation running an older build that accepts deploy tokens may be affected.", "description_and_impact": "Packistry allows an attacker to use an expired deploy token to access repository endpoints such as metadata and download APIs because token expiration is not checked. This weakness enables unauthorized read access to artifacts that the token is intended to expose, exposing package contents and potentially facilitating further exploitation if the token has elevated privileges. The vulnerability is classified as an improper authentication failure, represented by CWE-287 and CWE-613.", "risk_and_exploitability": "The CVSS v3 score of 4.3 indicates moderate severity; the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. Packistry is not listed in the CISA KEV catalog. Attackers must obtain or generate an expired deploy token and then send requests to repository endpoints. The attack is feasible over the network and requires only the presence of an expired token, which can be acquired through social engineering, password reuse, or token theft. Once the token is in possession, the attacker can retrieve metadata and download package data without restriction."}}}}, "created": "2026-02-26T13:09:51.700845+00:00", "updated": "2026-04-17T14:30:20.833249+00:00", "vendors": ["packistry", "packistry$PRODUCT$packistry"]}