cbcvebase.
CVE-2026-33942
published 2026-03-26

CVE-2026-33942: Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.62%
45.3th percentile
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

Affected

3 ranges
VendorProductVersion rangeFixed in
saloonsaloon< 4.0.04.0.0
saloonphpsaloon< 4.0.04.0.0
saloonphpsaloon>= 0 < 4.0.04.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect use of PHP unserialize() with allowed_classes => true in AccessTokenAuthenticator::unserialize() within the saloonphp/saloon library (versions prior to 4.0.0), which is the vulnerable code path for object injection.
  • Monitor for unexpected modification or overwriting of cached OAuth token files used by saloonphp/saloon, as an attacker controlling the serialized string (e.g. by overwriting a cached token file) is the primary attack vector.
  • Alert on PHP magic method invocations (__wakeup, __destruct) triggered during deserialization in the context of saloonphp/saloon OAuth token restoration, which may indicate gadget chain exploitation.
  • In environments with Monolog as a dependency, monitor for RCE indicators following deserialization events in saloonphp/saloon, as Monolog gadget chains can be leveraged for remote code execution.
  • ·The vulnerability is fully remediated in saloonphp/saloon version 4.0.0, which removes PHP serialization from AccessTokenAuthenticator entirely. Users must now store and resolve the authenticator manually after upgrading.
  • ·No public exploit is currently available for this CVE, though EPSS exploitation probability is rated at 62.4th percentile, suggesting elevated risk of future exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.