CVE-2026-33942: CVE-2026-33942: Insecure Deserialization to RCE in Saloon PHP

#security #cve #cybersecurity

CVE-2026-33942: Insecure Deserialization to RCE in Saloon PHP

Vulnerability ID: CVE-2026-33942
CVSS Score: 9.8
Published: 2026-03-27

Saloon PHP library versions prior to 4.0.0 suffer from a critical insecure deserialization vulnerability. Unsafe handling of cached OAuth tokens in the AccessTokenAuthenticator class allows attackers to achieve Remote Code Execution (RCE) via PHP object injection.

TL;DR

CVE-2026-33942 is a critical insecure deserialization flaw in Saloon PHP (<4.0.0). By injecting crafted serialized objects into token caches, attackers can trigger PHP gadget chains to achieve unauthenticated Remote Code Execution.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-502
Attack Vector: Network
CVSS v3.1 Score: 9.8
Impact: Remote Code Execution (RCE)
EPSS Score: 0.00325
Exploit Status: Proof of Concept via Gadget Chains

Affected Systems

saloonphp/saloon prior to version 4.0.0
PHP applications utilizing Saloon with token caching enabled
saloon: < 4.0.0 (Fixed in: 4.0.0)

Code Analysis

Commit: d418356

Foundational improvements for v4 including removal of serialize methods

Commit: 1307b1d

SSRF/URL Overrides and credential leakage protections

Mitigation Strategies

Upgrade to saloonphp/saloon version 4.0.0 or later.
Replace PHP serialization with JSON encoding for token persistence.
Enforce strict file system permissions on token cache directories.
Implement file integrity monitoring on storage mechanisms.

Remediation Steps:

Modify composer.json to require saloonphp/saloon ^4.0.0.
Run composer update saloonphp/saloon.
Identify all instances where AccessTokenAuthenticator is serialized or deserialized.
Refactor persistence logic to use json_encode() and json_decode().
Ensure the cache storage directory has 0600 or 0700 permissions.

References

Read the full report for CVE-2026-33942 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community