PatchSiren cyber security CVE debrief
CVE-2026-46420 shivammathur CVE debrief
CVE-2026-46420 is a medium severity vulnerability in the setup-php GitHub action. The action is used to set up PHP with extensions, php.ini configuration, coverage drivers, and tools. The vulnerability allows for command injection on a GitHub Actions runner when workflows such as pull_request_target check out attacker-controlled contents before invoking setup-php. This issue is fixed in version 2.37.1. Users of the setup-php GitHub action should review and restrict repository-controlled files, monitor workflows for suspicious activity, and update to version 2.37.1 or later.
- Vendor
- shivammathur
- Product
- setup-php
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of the setup-php GitHub action, especially those using versions 2.25.0 to 2.37.1, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and restricting repository-controlled files, monitoring workflows for suspicious activity, and updating to version 2.37.1 or later. Additionally, users should confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Technical summary
The setup-php GitHub action resolves the PHP version from repository-controlled files such as .php-version, composer.lock through platform-overrides.php, and composer.json through config.platform.php. However, it does not sufficiently constrain those values before incorporating them into generated shell or PowerShell setup scripts, allowing for command injection. This vulnerability allows for command injection on a GitHub Actions runner when workflows such as pull_request_target check out attacker-controlled contents before invoking setup-php.
Defensive priority
Medium High Critical Low Not Applicable Other Unknown Unspecified Not Provided Not Available Not Specified Too Early for Assessment Unclear Unresolved Deferred Vendor Needs Review Vendor Under Review Vendor Review Complete Vendor Response Deferred Vendor Response Ongoing Vendor Response Complete Vendor Fix Available Vendor Fix in Testing Vendor Fix Released Vendor Fix Bypassed Vendor Fix Reverted Public PoC Public Exploit Public Exploit Leverages Public Exploit Leverages EoP Public Exploit Leverages RCE Public Exploit Leverages LPE Public Exploit Leverages PrivEsc Public Exploit Leverages CodeExec Public Exploit Leverages MemCorrupt Public Exploit Leverages DataCorrupt Public Exploit Leverages RCE w/ single char command injection Public Exploit Leverages RCE w/ multi-char command injection Public Exploit Leverages RCE w/ file inclusion Public Exploit Leverages RCE w/ SQL injection Public Exploit Leverages RCE w/ cross-site scripting Public Exploit Leverages RCE w/ cross-site request forgery Public Exploit Leverages RCE w/ server-side request forgery Public Exploit Leverages RCE w/ command injection w/ no authentication Public Exploit Leverages RCE w/ command injection w/ authentication Public Exploit Leverages RCE w/ file inclusion w/ no authentication Public Exploit Leverages RCE w/ file inclusion w/ authentication Public Exploit Leverages RCE w/ SQL injection w/ no authentication Public Exploit Leverages RCE w/ SQL injection w/ authentication Public Exploit Leverages RCE w/ cross-site scripting w/ no authentication Public Exploit Leverages RCE w/ cross-site scripting w/ authentication Public Exploit Leverages RCE w/ cross-site request forgery w/ no authentication Public Exploit Leverages RCE w/ cross-site request forgery w/ authentication Public Exploit Leverages RCE w/ server-side request forgery w/ no authentication Public Exploit Leverages RCE w/ server-side request forgery w/ authentication Public Exploit Leverages RCE w/ command injection w/ no authentication w/ single char command injection Public Exploit Leverages RCE w/ command injection w/ authentication w/ single char command injection Public Exploit Leverages RCE w/ command injection w/ no auth w/ 1
Recommended defensive actions
- Update to version 2.37.1 or later
- Review and restrict repository-controlled files
- Monitor workflows for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-17T20:17:18.567Z and has not been modified since then. The NVD entry is currently 5.6, MEDIUM. The setup-php GitHub action resolves the PHP version from repository-controlled files such as .php-version, composer.lock through platform-overrides.php, and composer.json through config.platform.php. However, it does not sufficiently constrain those values before incorporating them into generated shell or PowerShell setup scripts, allowing for command injection. Users of the setup-php GitHub action, especially those using versions 2.25.0 to 2.37.1, should be aware of this vulnerability and take steps to mitigate it.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:18.567Z and has not been modified since then.