Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.
Published: 2026-03-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the PHP library Saloon's use of PHP's unserialize() function within the AccessTokenAuthenticator::unserialize() method, which allows all classes during deserialization. This insecure deserialization permits an attacker to inject a crafted serialized payload that results in object injection. By supplying a gadget object, the PHP engine will instantiate the object and execute its magic methods, such as __wakeup or __destruct. In a typical configuration where common dependencies like Monolog are present, this chain can yield remote code execution on the system where the library is running.

Affected Systems

The affected vendor is SaloonPHP and the product is the Saloon PHP library. Versions older than 4.0.0, which precede the library's removal of native serialization, are impacted. Any application that uses these legacy versions for OAuth token persistence or recovery is at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity issue, and the low EPSS score (<1%) suggests that widespread exploitation is unlikely at present, yet the potential consequences are severe. Because the flaw relies on an attacker’s ability to supply a crafted serialized string—either by overwriting cached token files or via another injection vector—the threat model is most acute for systems that expose local token storage to user input or where attackers can compromise the application’s file system. The vulnerability is not listed in CISA's KEV catalog, but the high impact warrants immediate mitigation.

Generated by OpenCVE AI on March 26, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Saloon library to version 4.0.0 or later.

Generated by OpenCVE AI on March 26, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rf88-776r-rcq9 Saloon has insecure deserialization in AccessTokenAuthenticator
History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Saloon
Saloon saloon
CPEs cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:*
Vendors & Products Saloon
Saloon saloon
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Saloonphp
Saloonphp saloon
Vendors & Products Saloonphp
Saloonphp saloon

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.
Title Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Saloon Saloon
Saloonphp Saloon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-28T02:06:07.913Z

Reserved: 2026-03-24T19:50:52.104Z

Link: CVE-2026-33942

cve-icon Vulnrichment

Updated: 2026-03-28T02:06:03.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T01:16:28.040

Modified: 2026-03-26T20:42:31.563

Link: CVE-2026-33942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:00Z

Weaknesses