Cyber Posture

CVE-2026-33942

Critical

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who…

more

can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely patching of the Saloon library to version 4.0.0, which removes the unsafe PHP unserialize() usage.

RA-5 Vulnerability Monitoring and Scanning good match
prevent

Scans for and remediates vulnerabilities like CVE-2026-33942 in PHP libraries and dependencies, enabling proactive flaw identification and patching.

SI-10 Information Input Validation good match
prevent

Validates serialized OAuth token data from cache or storage before deserialization to block malicious gadget objects that enable object injection.

Security SummaryAI

CVE-2026-33942 is a PHP object injection vulnerability (CWE-502) in the Saloon PHP library, which provides tools for building API integrations and SDKs. Versions prior to 4.0.0 use PHP's unserialize() function with allowed_classes => true in the AccessTokenAuthenticator::unserialize() method to restore OAuth token state from cache or storage. This allows attackers who control the serialized string to supply a malicious "gadget" object, triggering PHP magic methods like __wakeup or __destruct upon deserialization.

An unauthenticated attacker (AV:N/AC:L/PR:N) with the ability to overwrite a cached token file or inject data into the storage mechanism can exploit this remotely with low complexity. Successful object injection can be chained with common dependencies, such as Monolog, to achieve remote code execution (RCE), resulting in high confidentiality, integrity, and availability impacts (CVSS 9.8: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Saloon project addressed this in version 4.0.0 by removing PHP serialization from the AccessTokenAuthenticator class, requiring users to manually store and resolve the authenticator. Further details on upgrading from v3 to v4 are available in the official documentation at https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4, and the GitHub security advisory at https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9 provides additional guidance.

Details

CWE(s)
CWE-502

Affected Products

saloon
saloon
≤ 4.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

PHP object injection vulnerability exploitable unauthenticated remotely via cache/storage manipulation, enabling exploitation of public-facing applications leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References