Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33942

Saloon has insecure deserialization in AccessTokenAuthenticator
Back to all
CVE

CVE-2026-33942

Saloon has insecure deserialization in AccessTokenAuthenticator

Impact

Users of the OAuth2 utilities in Saloon, specifically the AccessTokenAuthenticator class.

Patches

Upgrade to Saloon v4+

Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4

Description

The Saloon PHP library used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (wakeup, destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

Credits

Saloon thanks @HuajiHD for finding the issue and recommending solutions and @jonpurvis for applying the fix.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.1
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9, https://nvd.nist.gov/vuln/detail/CVE-2026-33942, https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4, https://github.com/saloonphp/saloon

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00574%
EPSS Percentile
0.68586%
Introduced Version
0
Fix Available
4.0.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading