CVE-2026-33942
Published: 26 March 2026
Summary
CVE-2026-33942 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Saloon Saloon. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely patching of the Saloon library to version 4.0.0, which removes the unsafe PHP unserialize() usage.
Scans for and remediates vulnerabilities like CVE-2026-33942 in PHP libraries and dependencies, enabling proactive flaw identification and patching.
Validates serialized OAuth token data from cache or storage before deserialization to block malicious gadget objects that enable object injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection vulnerability exploitable unauthenticated remotely via cache/storage manipulation, enabling exploitation of public-facing applications leading to RCE.
NVD Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who…
more
can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.
Deeper analysisAI
CVE-2026-33942 is a PHP object injection vulnerability (CWE-502) in the Saloon PHP library, which provides tools for building API integrations and SDKs. Versions prior to 4.0.0 use PHP's unserialize() function with allowed_classes => true in the AccessTokenAuthenticator::unserialize() method to restore OAuth token state from cache or storage. This allows attackers who control the serialized string to supply a malicious "gadget" object, triggering PHP magic methods like __wakeup or __destruct upon deserialization.
An unauthenticated attacker (AV:N/AC:L/PR:N) with the ability to overwrite a cached token file or inject data into the storage mechanism can exploit this remotely with low complexity. Successful object injection can be chained with common dependencies, such as Monolog, to achieve remote code execution (RCE), resulting in high confidentiality, integrity, and availability impacts (CVSS 9.8: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The Saloon project addressed this in version 4.0.0 by removing PHP serialization from the AccessTokenAuthenticator class, requiring users to manually store and resolve the authenticator. Further details on upgrading from v3 to v4 are available in the official documentation at https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4, and the GitHub security advisory at https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9 provides additional guidance.
Details
- CWE(s)