logo

Database

Insecure deserialization In saloonphp/saloon

Description

Saloon has insecure deserialization in AccessTokenAuthenticator

Impact

Users of the OAuth2 utilities in Saloon, specifically the AccessTokenAuthenticator class.

Patches

Upgrade to Saloon v4+

Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4

Description

The Saloon PHP library used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

Credits

Saloon thanks @HuajiHD for finding the issue and recommending solutions and @jonpurvis for applying the fix.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-339422. NVD-2026-339423. OSV-2026-339424. GHSA-rf88-776r-rcq95. GCVE-2026-33942

References

1. https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq92. https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.