GHSA-9qfv-wgh2-m6p8

Suggest an improvement
Source
https://github.com/advisories/GHSA-9qfv-wgh2-m6p8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9qfv-wgh2-m6p8/GHSA-9qfv-wgh2-m6p8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9qfv-wgh2-m6p8
Aliases
  • CVE-2026-55374
Published
2026-06-19T14:13:55Z
Modified
2026-06-19T14:30:08.297006877Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables
Details

Summary

In affected versions, Request::buildRequestUrl() inserts path variables into the request URL without URL encoding (implode('/', $pathVariables)). All request classes implementing getPathVariables() are affected, e.g. GetContentDetailsRequest (scheme, contentId).

If a consuming application passes untrusted input (such as an ID taken from an HTTP request parameter) as a path variable, characters like ../, ? or # are sent verbatim and can change the path of the resulting API request.

## Impact

An attacker who controls a path variable value can redirect the library's authenticated request — the Bearer access token is attached in AbstractEndpoint::sendRequest() — to a different API endpoint of the same Canto instance, causing unintended reads or writes with the privileges of the configured app. The impact depends on how the consuming application sources path variable values; applications that only pass trusted, validated IDs are not exploitable.

## Patches

Fixed in 3.0.0: every path segment is encoded with rawurlencode() before being inserted into the request URL.

## Workarounds

If you cannot upgrade, validate untrusted values before passing them to request classes, e.g. enforce an allowlist pattern such as ^[A-Za-z0-9_-]+$ for content IDs and schemes.

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T14:13:55Z",
    "cwe_ids": [
        "CWE-74",
        "CWE-918"
    ]
}
References

Affected packages

Packagist / jleehr/canto-saas-api

Package

Name
jleehr/canto-saas-api
Purl
pkg:composer/jleehr%2Fcanto-saas-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0

Affected versions

1.*
1.0.3
2.*
2.0.0

Database specific

last_known_affected_version_range 
"<= 2.0.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9qfv-wgh2-m6p8/GHSA-9qfv-wgh2-m6p8.json"