CVE-2026-27968 - Vulnerability Details

- Packistry accepts expired access tokens

Description

Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.

Published: 2026-02-26

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Packistry allows an attacker to use an expired deploy token to access repository endpoints such as metadata and download APIs because token expiration is not checked. This weakness enables unauthorized read access to artifacts that the token is intended to expose, exposing package contents and potentially facilitating further exploitation if the token has elevated privileges. The vulnerability is classified as an improper authentication failure, represented by CWE-287 and CWE-613.

Affected Systems

The issue is present in all releases of Packistry prior to version 0.13.0. Any installation running an older build that accepts deploy tokens may be affected.

Risk and Exploitability

The CVSS v3 score of 4.3 indicates moderate severity; the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. Packistry is not listed in the CISA KEV catalog. Attackers must obtain or generate an expired deploy token and then send requests to repository endpoints. The attack is feasible over the network and requires only the presence of an expired token, which can be acquired through social engineering, password reuse, or token theft. Once the token is in possession, the attacker can retrieve metadata and download package data without restriction.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

packistry

affected

Version	Status	Constraints
`< 0.13.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:packistryphp:packistry:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Packistry

100%

Version	Status	Scheme	Platform
`[0,0.13.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Packistry to version 0.13.0 or later where expiration checks are enforced.
Rotate all existing deploy tokens and issue new ones with proper expiration settings.
Validate that token expiration checks are effective by testing access with an intentionally expired token.

Generated by OpenCVE AI on April 17, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283
https://github.com/packistry/packistry/pull/276
https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw

History

Mon, 02 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Packistryphp Packistryphp packistry
CPEs		cpe:2.3:a:packistryphp:packistry::::::::
Vendors & Products		Packistryphp Packistryphp packistry

Thu, 26 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Packistry Packistry packistry
Vendors & Products		Packistry Packistry packistry

Thu, 26 Feb 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.
Title		Packistry accepts expired access tokens
Weaknesses		CWE-287 CWE-613
References		https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283 https://github.com/packistry/packistry/pull/276 https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Packistry Packistry

Packistryphp Packistry

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-26T01:57:12.752Z

Updated: 2026-02-26T14:53:10.334Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27968

Vulnrichment

Updated: 2026-02-26T14:53:05.300Z

NVD

Status : Analyzed

Published: 2026-02-26T02:16:23.990

Modified: 2026-03-02T18:04:44.283

Link: CVE-2026-27968

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object