Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026

Packistry accepts expired access tokens

CVE-2026-27968

Description

Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.

Affected products

Packistry/Packistryllm-fuzzy2 versions
<0.13.0+ 1 more
- (no CPE)range: <0.13.0
- (no CPE)range: < 0.13.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283mitrex_refsource_MISC
github.com/packistry/packistry/pull/276mitrex_refsource_MISC
github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000