CVE-2026-33182

Name of the Vulnerable Software and Affected Versions Saloon versions prior to 4.0.0

Description Saloon is a PHP library used for building API integrations and SDKs. A flaw exists where the library combines a connector's base URL with a request endpoint. If the endpoint is a valid absolute URL, Saloon uses that URL directly, bypassing the base URL and any associated authentication mechanisms. This allows attackers to potentially perform server-side request forgery (SSRF) and leak credentials to a host they control if the endpoint is influenced by user input or configuration parameters like redirect uri or callback URL. The URLHelper::join() function does not validate the endpoint, leading to this behavior.

Recommendations Upgrade to Saloon version 4.0.0 or later.