Publish GHSA-rf88-776r-rcq9

advisory-database[bot] · advisory-database[bot] · commit 7aa3eb53e83e · 2026-03-27T18:36:45.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-rf88-776r-rcq9/GHSA-rf88-776r-rcq9.json b/advisories/github-reviewed/2026/03/GHSA-rf88-776r-rcq9/GHSA-rf88-776r-rcq9.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rf88-776r-rcq9",
+  "modified": "2026-03-27T18:33:43Z",
+  "published": "2026-03-27T18:33:43Z",
+  "aliases": [
+    "CVE-2026-33942"
+  ],
+  "summary": "Saloon has insecure deserialization in AccessTokenAuthenticator",
+  "details": "### Impact\nUsers of the OAuth2 utilities in Saloon, specifically the `AccessTokenAuthenticator` class.\n\n### Patches\nUpgrade to Saloon v4+\n\nUpgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4\n\n### Description\nThe Saloon PHP library used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized \"gadget\" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.\n\n### Credits\nSaloon thanks @HuajiHD for finding the issue and recommending solutions and @jonpurvis for applying the fix.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "saloonphp/saloon"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33942"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/saloonphp/saloon"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T18:33:43Z",
+    "nvd_published_at": "2026-03-26T01:16:28Z"
+  }
+}
