Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request—and any authentication headers, cookies, or tokens attached by the connector—was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis.
Published: 2026-03-26
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery and Credential Leakage
Action: Apply Patch
AI Analysis

Impact

Saloon builds request URLs by combining a connector’s base URL with an endpoint. When that endpoint is a valid absolute URL, the library sends the request to the absolute location, bypassing the base URL and attaching any authentication headers, cookies, or tokens. This allows an attacker to cause the server to send traffic to an arbitrary host, potentially exfiltrating credentials or accessing internal resources. The flaw is a Server‑Side Request Forgery (CWE‑918) that can also result in credential leakage (CWE‑522).

Affected Systems

The PHP library Saloon, published by saloonphp, is impacted. All versions earlier than 4.0.0 contain the flaw. An attacker can exploit it when an endpoint value can be supplied from user input or system configuration, such as redirect_uri or callback URLs.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, while the EPSS score is below 1%, suggesting that exploitation is not common in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that the application uses Saloon and that an absolute endpoint can be influenced by the attacker. The likely attack vector is a server‑side request forgery where the attacker supplies a crafted absolute URL as the request endpoint. If successful, the server will reach the attacker‑controlled host, potentially leaking authentication tokens or exposing internal services.

Generated by OpenCVE AI on March 30, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saloon to version 4.0.0 or newer, which rejects absolute URLs in endpoints unless explicitly allowed.
  • Modify configuration or code to disallow or carefully filter any absolute URLs in request endpoints, especially for redirect_uri or callback parameters.
  • Validate or sanitize user input that determines endpoint URLs to ensure only relative paths or trusted domains are used.
  • Review connector settings to eliminate externally controllable redirect_uri or callback URLs that could be manipulated by an attacker.

Generated by OpenCVE AI on March 30, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c83f-3xp6-hfcp Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL
History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Saloon
Saloon saloon
CPEs cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:*
Vendors & Products Saloon
Saloon saloon
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Saloonphp
Saloonphp saloon
Vendors & Products Saloonphp
Saloonphp saloon

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request—and any authentication headers, cookies, or tokens attached by the connector—was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis.
Title Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL
Weaknesses CWE-522
CWE-918
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Saloon Saloon
Saloonphp Saloon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T14:18:29.802Z

Reserved: 2026-03-17T22:16:36.720Z

Link: CVE-2026-33182

cve-icon Vulnrichment

Updated: 2026-03-26T14:18:26.473Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T01:16:27.043

Modified: 2026-03-30T16:51:45.823

Link: CVE-2026-33182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:46Z

Weaknesses