CVE-2026-33942

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33942
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33942.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33942
Aliases
Published
2026-03-26T00:27:23.776Z
Modified
2026-04-10T05:43:19.679071Z
Severity
  • 8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)
Details

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33942.json",
    "cwe_ids": [
        "CWE-502"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/saloonphp/saloon

Affected ranges

Type
GIT
Repo
https://github.com/saloonphp/saloon
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1307b1d72cacdd2c9c20978cdf7a0b720b4bf3bb
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.0"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.1.0
v0.10.0
v0.11.0
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.5.0
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.7.0
v0.7.1
v0.7.2
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0
v1.0.1
v1.1.0
v1.2.0
v2.*
v2.0.0
v2.0.0-beta1
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-beta4
v2.0.0-beta5
v2.0.0-beta6
v2.0.0-beta7
v2.0.1
v2.0.2
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v3.*
v3.0.0
v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-beta.3
v3.0.0-beta.4
v3.0.0-beta.5
v3.0.0-beta.6
v3.0.0-beta.7
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.1.0
v3.10.0
v3.10.1
v3.11.0
v3.11.1
v3.11.2
v3.12.0
v3.13.0
v3.13.1
v3.14.0
v3.14.1
v3.14.2
v3.14.3
v3.15.0
v3.2.0
v3.3.0
v3.3.1
v3.3.2
v3.4.0
v3.4.1
v3.4.2
v3.5.0
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.7.0
v3.8.0
v3.8.1
v3.9.0
v3.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33942.json"