Vulnerability Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Saloon | Saloon | < 4.0.0 |
Related Weaknesses (CWE)
References
- https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4Release Notes
- https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9Vendor Advisory
FAQ
What is CVE-2026-33942?
CVE-2026-33942 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token st...
How severe is CVE-2026-33942?
CVE-2026-33942 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33942?
Check the references section above for vendor advisories and patch information. Affected products include: Saloon Saloon.