{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33942", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.104Z", "datePublished": "2026-03-26T00:27:23.776Z", "dateUpdated": "2026-03-26T00:27:23.776Z"}, "containers": {"cna": {"title": "Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9"}, {"name": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4", "tags": ["x_refsource_MISC"], "url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"}], "affected": [{"vendor": "saloonphp", "product": "saloon", "versions": [{"version": "< 4.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:27:23.776Z"}, "descriptions": [{"lang": "en", "value": "Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized \"gadget\" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually."}], "source": {"advisory": "GHSA-rf88-776r-rcq9", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DA20E08-DBB0-4ACD-BED9-550F3ED97E3D", "versionEndExcluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized \"gadget\" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually."}, {"lang": "es", "value": "Saloon es una biblioteca PHP que proporciona a los usuarios herramientas para construir integraciones de API y SDKs. Las versiones anteriores a la 4.0.0 utilizaban la funci\u00f3n unserialize() de PHP en AccessTokenAuthenticator::unserialize() para restaurar el estado del token OAuth desde la cach\u00e9 o el almacenamiento, con allowed_classes =&gt; true. Un atacante que puede controlar la cadena serializada (por ejemplo, sobrescribiendo un archivo de token en cach\u00e9 o mediante otra inyecci\u00f3n) puede proporcionar un objeto 'gadget' serializado. Cuando se ejecuta unserialize(), PHP instancia ese objeto y ejecuta sus m\u00e9todos m\u00e1gicos (__wakeup, __destruct, etc.), lo que lleva a la inyecci\u00f3n de objetos. En entornos con dependencias comunes (por ejemplo, Monolog), esto puede encadenarse a la ejecuci\u00f3n remota de c\u00f3digo (RCE). La correcci\u00f3n en la versi\u00f3n 4.0.0 elimina la serializaci\u00f3n de PHP de la clase AccessTokenAuthenticator, lo que requiere que los usuarios almacenen y resuelvan el autenticador manualmente."}], "id": "CVE-2026-33942", "lastModified": "2026-03-26T20:42:31.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T01:16:28.040", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "saloon", "source": "cna", "vendor": "saloonphp"}, "product": "saloon", "vendor": "saloonphp"}], "analysis": {"en": {"generated_at": "2026-03-26T04:20:47.842352+00:00", "value": {"mitigation_remediation": ["Update Saloon to version\u00a04.0.0\u00a0or newer, following the upgrade guidance in the official documentation", "If an upgrade is not immediately possible, ensure that any cached OAuth token data is validated or removed, and prevent external writes to the cache location", "Review dependencies such as Monolog to verify that no exploitable gadget chains remain in the runtime environment", "Implement additional controls to monitor for unauthorized modifications to cached token files or serialization inputs"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via object injection"}, "threat_synthesis": {"affected_systems": "The library affected is Saloon by saloonphp. All releases prior to 4.0.0 are vulnerable. Upgrading to Saloon 4.0.0 or later removes the unserialize usage from AccessTokenAuthenticator and requires manual handling of the authenticator state.", "description_and_impact": "Saloon versions older than 4.0.0 use PHP's unserialize() with allowed_classes enabled inside AccessTokenAuthenticator::unserialize, which restores OAuth token state from cache. An attacker who can control the serialized payload\u2014such as by overwriting a cached token file or exploiting another injection\u2014may supply a malicious gadget object. PHP will instantiate this object and execute its magic methods, resulting in object injection that, in environments that include common dependencies like Monolog, can be chained to remote code execution. The vulnerability is a classic insecure deserialization flaw, classified under CWE\u2011502.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject a crafted serialized payload, for example by manipulating cached token files or exploiting another entry point that writes to the cache. Once a payload is processed, object injection can trigger arbitrary code execution if gadget chains exist in the runtime environment."}}}}, "created": "2026-03-26T11:30:54.809401+00:00", "updated": "2026-03-26T12:08:56.671844+00:00", "vendors": ["saloonphp", "saloonphp$PRODUCT$saloon"]}