CVE-2026-33183
Published: 26 March 2026
Summary
CVE-2026-33183 is a critical-severity Path Traversal (CWE-22) vulnerability in Saloon Saloon. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal by validating fixture names against traversal sequences, slashes, and unsafe characters before constructing file paths.
Remediates the specific path traversal vulnerability by requiring upgrade to Saloon version 4.0.0 or later with fixture validation fixes.
Limits damage from successful path traversal by enforcing least privilege on the application process, restricting access to sensitive files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing PHP library directly enables remote exploitation of the app (T1190), arbitrary local file reads (T1005), and arbitrary file writes that support tool/file ingress (T1105).
NVD Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g.…
more
../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
Deeper analysisAI
CVE-2026-33183 is a path traversal vulnerability (CWE-22) affecting the Saloon PHP library, a tool for building API integrations and SDKs, in versions prior to 4.0.0. The issue arises because fixture names are used to construct file paths under a configured fixture directory without proper validation. This allows names containing path traversal segments, such as "../traversal" or "../../etc/passwd", to resolve to paths outside the intended directory. Consequently, applications using Saloon for reading fixtures (e.g., for mocking) or writing them (e.g., recording responses) risk accessing arbitrary files based on the process's permissions.
The vulnerability can be exploited by remote attackers with no required privileges (AV:N/AC:L/PR:N/UI:N), as indicated by its CVSS v3.1 base score of 9.1. Exploitation requires the fixture name to be derived from attacker-controlled input, such as request parameters or configuration values. Successful attacks enable high confidentiality impact through disclosure of sensitive files and high integrity impact by overwriting critical files, though availability remains unaffected (S:U/C:H/I:H/A:N).
Mitigation is addressed in Saloon version 4.0.0, which introduces validation at the fixture layer to reject names containing slashes (/ or \), parent directory references (..), null bytes, or characters outside a safe set. Additionally, defense-in-depth measures in the storage layer ensure resolved paths remain within the base directory before any read or write operations. Security practitioners should upgrade to version 4.0.0 or later, as detailed in the official upgrade guide and GitHub security advisory.
Details
- CWE(s)