CVE-2026-33942

{"id": "CVE-2026-33942", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T01:16:28.040", "references": [{"url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized \"gadget\" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually."}, {"lang": "es", "value": "Saloon es una biblioteca PHP que proporciona a los usuarios herramientas para construir integraciones de API y SDKs. Las versiones anteriores a la 4.0.0 utilizaban la funci\u00f3n unserialize() de PHP en AccessTokenAuthenticator::unserialize() para restaurar el estado del token OAuth desde la cach\u00e9 o el almacenamiento, con allowed_classes => true. Un atacante que puede controlar la cadena serializada (por ejemplo, sobrescribiendo un archivo de token en cach\u00e9 o mediante otra inyecci\u00f3n) puede proporcionar un objeto 'gadget' serializado. Cuando se ejecuta unserialize(), PHP instancia ese objeto y ejecuta sus m\u00e9todos m\u00e1gicos (__wakeup, __destruct, etc.), lo que lleva a la inyecci\u00f3n de objetos. En entornos con dependencias comunes (por ejemplo, Monolog), esto puede encadenarse a la ejecuci\u00f3n remota de c\u00f3digo (RCE). La correcci\u00f3n en la versi\u00f3n 4.0.0 elimina la serializaci\u00f3n de PHP de la clase AccessTokenAuthenticator, lo que requiere que los usuarios almacenen y resuelvan el autenticador manualmente."}], "lastModified": "2026-03-26T20:42:31.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DA20E08-DBB0-4ACD-BED9-550F3ED97E3D", "versionEndExcluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}