CVE-2026-33942

CRITICAL

Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Title source: cna

Description

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

References (2)

[X_Refsource_Confirm] https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9

[X_Refsource_Misc] https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4

Scores

CVSS v3 9.8

EPSS 0.0022

EPSS Percentile 44.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (3)

saloon/saloon < 4.0.0

saloonphp/saloon 0 - 4.0.0Packagist

saloonphp/saloon < 4.0.0

Published Mar 26, 2026

Tracked Since Mar 26, 2026