Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-27968
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-26 Feb, 2026 | 01:57
Updated At-26 Feb, 2026 | 14:53
Rejected At-
▼CVE Numbering Authority (CNA)
Packistry accepts expired access tokens

Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.

Affected Products
Vendor
packistry
Product
packistry
Versions
Affected
  • < 0.13.0
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287: Improper Authentication
CWECWE-613CWE-613: Insufficient Session Expiration
Type: CWE
CWE ID: CWE-287
Description: CWE-287: Improper Authentication
Type: CWE
CWE ID: CWE-613
Description: CWE-613: Insufficient Session Expiration
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw
x_refsource_CONFIRM
https://github.com/packistry/packistry/pull/276
x_refsource_MISC
https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283
x_refsource_MISC
Hyperlink: https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/packistry/packistry/pull/276
Resource:
x_refsource_MISC
Hyperlink: https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found