DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33182: CVE-2026-33182: Server-Side Request Forgery and Credential Leakage in Saloon PHP

#security #cve #cybersecurity

CVE-2026-33182: Server-Side Request Forgery and Credential Leakage in Saloon PHP

Vulnerability ID: CVE-2026-33182
CVSS Score: 6.6
Published: 2026-03-25

Saloon PHP library versions prior to 4.0.0 are vulnerable to Server-Side Request Forgery (SSRF) and credential leakage. The library's URL construction logic permits absolute URLs provided as endpoints to override the configured base URL, causing the library to transmit sensitive connector-level state to arbitrary attacker-controlled hosts.

TL;DR

A flaw in Saloon PHP < 4.0.0 allows attacker-supplied absolute URLs to override the base URL, leaking authentication headers and tokens to third-party servers.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS Score: 6.6 (Medium)
  • Impact: High Confidentiality (Credential Leakage)
  • Exploit Status: Proof of Concept Available
  • Authentication: None Required

Affected Systems

  • Saloon PHP Library (< 4.0.0)
  • Saloon: < 4.0.0 (Fixed in: 4.0.0)

Code Analysis

Commit: d418356

Foundational fix restricting absolute URL overrides in endpoints

Commit: 1307b1d

Implementation of explicit opt-in logic for base URL overrides

Mitigation Strategies

  • Upgrade Saloon PHP library to version 4.0.0.
  • Audit custom Request classes for unvalidated user input in resolveEndpoint().
  • Implement strict allowlists for any dynamically generated outbound URLs.
  • Ensure allowBaseUrlOverride is strictly scoped to specific requests and never enabled globally.

Remediation Steps:

  1. Modify composer.json to require saloonphp/saloon: ^4.0.
  2. Run composer update saloonphp/saloon.
  3. Review the Saloon v3 to v4 upgrade guide for breaking changes.
  4. Locate all instances of resolveEndpoint() and verify input sanitization.
  5. Apply the allowBaseUrlOverride = true property only to trusted, statically defined endpoint configurations.

References

Read the full report for CVE-2026-33182 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)