Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Old Packistry version fails to check token expiration
CVE-2026-27968
Summary
If you're using an old version of Packistry, an attacker with a valid but expired token can still access your repository. This means they could see or download sensitive information. Update to Packistry version 0.13.0 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| packistryphp | packistry | <= 0.13.0 | – |
Original title
Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but ...
Original description
Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.
nvd CVSS3.1
4.3
Vulnerability type
CWE-287
Improper Authentication
CWE-613
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026