CVE-2026-33942

Name of the Vulnerable Software and Affected Versions Saloon versions prior to 4.0.0

Description Saloon is a PHP library used for building API integrations and SDKs. The library used PHP's unserialize() function in the AccessTokenAuthenticator::unserialize() method, with allowed classes set to true, to restore OAuth token state. This allowed an attacker who could control the serialized string to supply a serialized "gadget" object. When unserialize() was executed, PHP instantiated the object and ran its magic methods, potentially leading to object injection. In environments with common dependencies like Monolog, this could be chained to achieve remote code execution (RCE).

Recommendations Update to version 4.0.0 or later, which removes PHP serialization from the AccessTokenAuthenticator class, requiring manual storage and resolution of the authenticator.