## CakePHP CI Infrastructure Exposed: Composer Token Leakage Vulnerability Forces Security Overhaul A critical supply-chain vulnerability has been identified in the CI infrastructure powering CakePHP organization repositories, prompting an urgent call for hardening measures across all GitHub Actions workflows. The flaw, tracked as CVE-2026-45793, enables the exposure of GitHub authentication tokens through Composer error messages, potentially allowing attackers to hijack CI/CD pipelines or access private repository resources. The root cause lies in how Composer versions prior to 2.9.8 handle GitHub's newly introduced token format (`ghs__`). When Composer's credential validator encounters this token, it rejects the authentication attempt and outputs the full token value within an ANSI-escaped error message. The problem: GitHub's secret masking system fails to recognize these ANSI sequences, allowing the token to appear in plaintext within CI logs. The vulnerability is compounded by the `shivammathur/setup-php` action, widely used across CakePHP CI configurations, which automatically injects `GITHUB_TOKEN` into the `COMPOSER_AUTH` environment variable. On workflows triggered by `push` or `schedule` events lacking explicit `permissions:` declarations, GitHub Actions assigns default tokens with write permissions, maximizing potential damage from any leakage. The proposed remediation requires two coordinated changes: pinning Composer to version `>=2.9.8` in all workflows using `shivammathur/setup-php`, and adding explicit `permissions: contents: read` blocks to restrict token scope. The RFC (Request for Comments) acknowledges that while GitHub has since modified its masking behavior, the underlying token rejection behavior in older Composer versions remains unpatched in environments that have not upgraded. Organizations relying on similar CI configurations are advised to audit their workflows for vulnerable Composer versions and the absence of permission scoping, as the exposure window extends to any repository where these conditions coexist. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2026-45793, Composer vulnerability, GitHub Actions security, supply-chain attack, token leakage - **Credibility**: unverified - **Published**: 2026-05-14 17:48:25 - **ID**: 83117 - **URL**: https://whisperx.ai/en/intel/83117