CVE-2026-33942 Overview
CVE-2026-33942 is an insecure deserialization vulnerability in Saloon, a popular PHP library used for building API integrations and SDKs. The vulnerability exists in versions prior to 4.0.0 where the AccessTokenAuthenticator::unserialize() method uses PHP's native unserialize() function with allowed_classes => true to restore OAuth token state from cache or storage. This unsafe deserialization pattern allows attackers who can control the serialized string to inject malicious objects, potentially leading to remote code execution.
Critical Impact
Attackers can achieve remote code execution by injecting malicious serialized objects through cached token files or other injection vectors, particularly in environments with common PHP dependencies like Monolog that provide exploitation gadget chains.
Affected Products
- Saloon versions prior to 4.0.0
- Applications using AccessTokenAuthenticator for OAuth token persistence
- PHP environments with gadget-chain-compatible dependencies (e.g., Monolog)
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33942 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33942
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data), a well-known weakness that can have severe security implications in PHP applications. The root issue lies in the improper handling of serialized data within the OAuth authentication flow.
When applications use Saloon's AccessTokenAuthenticator class to persist OAuth tokens, the library serializes the authenticator object for storage. Upon retrieval, the unserialize() function is called with allowed_classes => true, which permits the instantiation of any PHP class present in the application's codebase. This creates an object injection vulnerability where an attacker-controlled serialized payload can trigger arbitrary class instantiation.
The attack surface expands significantly in environments that include popular PHP libraries containing "gadget classes" - classes with magic methods (__wakeup, __destruct, __toString) that can be chained together to achieve code execution. Libraries like Monolog, Guzzle, and various Laravel components have known gadget chains that attackers can leverage.
Root Cause
The vulnerability originates from the use of PHP's unserialize() function without proper class restrictions. When allowed_classes is set to true, PHP will instantiate any class found in the serialized string, executing magic methods during object reconstruction. The AccessTokenAuthenticator::unserialize() method did not implement adequate safeguards to prevent the deserialization of arbitrary objects.
Secure alternatives would include using allowed_classes => false or specifying an explicit whitelist of allowed classes, or avoiding PHP serialization entirely in favor of safer formats like JSON.
Attack Vector
The vulnerability is exploitable over the network with no authentication required and no user interaction necessary. An attacker must have the ability to control the serialized token data, which can be achieved through several attack vectors:
Cache Poisoning: If an attacker can write to the application's cache storage (Redis, Memcached, file-based cache), they can replace legitimate serialized tokens with malicious payloads.
File Injection: In scenarios where token files are stored on the filesystem, an attacker with write access to the token storage directory can inject malicious serialized objects.
Chained Vulnerabilities: Other vulnerabilities such as SQL injection, path traversal, or SSRF could potentially be used to manipulate where the serialized data is stored or what data is retrieved.
Once the malicious serialized payload is in place, the next time the application attempts to restore the OAuth token state, the unserialize() function will instantiate the attacker's gadget chain, leading to arbitrary code execution with the privileges of the web server process.
Detection Methods for CVE-2026-33942
Indicators of Compromise
- Unexpected or malformed entries in OAuth token cache storage
- Presence of serialized PHP objects containing class names not typically associated with authentication (e.g., Monolog handlers, stream wrappers)
- Anomalous file modifications in token storage directories
- PHP error logs indicating class instantiation failures during token restoration
- Unexpected outbound network connections following OAuth token operations
Detection Strategies
- Monitor cache and file storage for serialized PHP objects containing suspicious class references
- Implement application-level logging for AccessTokenAuthenticator::unserialize() calls and flag unexpected class instantiations
- Deploy file integrity monitoring on token storage directories
- Use runtime application security tools to detect object injection attempts
- Review application logs for PHP errors related to missing or unexpected classes during deserialization
Monitoring Recommendations
- Enable verbose logging for authentication-related operations in Saloon-based applications
- Configure alerts for write operations to token cache locations from unexpected sources
- Implement behavioral analysis to detect anomalous process execution following web requests
- Monitor for network connections to unexpected destinations that may indicate successful exploitation
How to Mitigate CVE-2026-33942
Immediate Actions Required
- Upgrade Saloon to version 4.0.0 or later immediately
- Audit all locations where OAuth tokens are stored (cache, database, filesystem) for signs of tampering
- Review application dependencies for known gadget chain classes and assess exposure
- Implement additional access controls on token storage locations to prevent unauthorized writes
- Consider invalidating and regenerating all stored OAuth tokens after patching
Patch Information
The vulnerability is fully remediated in Saloon version 4.0.0. The fix removes PHP serialization from the AccessTokenAuthenticator class entirely, requiring users to store and resolve the authenticator manually using safer serialization methods. This architectural change eliminates the object injection attack surface.
For detailed upgrade instructions, refer to the Saloon Upgrade Guide. Additional vulnerability details are available in the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, implement a wrapper around AccessTokenAuthenticator::unserialize() that validates the serialized data before deserialization
- Restrict write access to token storage locations to prevent attacker-controlled data injection
- Consider implementing a custom token storage mechanism using JSON instead of PHP serialization
- Deploy Web Application Firewall (WAF) rules to detect and block serialized PHP object payloads in requests
- Isolate applications using vulnerable Saloon versions in restricted network segments to limit post-exploitation impact
# Upgrade Saloon to patched version
composer require saloonphp/saloon:^4.0.0
# Verify installed version
composer show saloonphp/saloon | grep versions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
