CVE-2026-33183 is a path traversal vulnerability (CWE-22) found in the Saloon PHP library, a tool used to build API integrations and SDKs. In versions prior to 4.0.0, the library used fixture names to construct file paths under a configured fixture directory without proper validation. This allowed an attacker to include path traversal sequences such as '../' or '..\' in fixture names, causing the application to access files outside the intended directory. When the application reads or writes fixtures (for example, during mocking or recording API responses), it could inadvertently read sensitive files like system configuration files or overwrite critical files if the fixture name was attacker-controlled. The vulnerability is particularly dangerous because it does not require authentication or user interaction and can be triggered remotely if fixture names are derived from user input such as request parameters or configuration files. The fix implemented in version 4.0.0 includes validation that rejects fixture names containing path separators, traversal sequences, or null bytes, and restricts names to a safe character set. Additionally, a defense-in-depth measure was added to verify that the resolved file path remains within the base fixture directory before any file operation is performed. This layered approach mitigates the risk of path traversal exploitation. The vulnerability has a CVSS 4.0 score of 8.0 (high severity) due to its potential to disclose sensitive information and modify files without requiring privileges or user interaction. No public exploits have been reported yet, but the vulnerability poses a significant risk to applications using affected Saloon versions.

The impact of CVE-2026-33183 is substantial for organizations using the Saloon PHP library versions prior to 4.0.0 in their API integrations or SDKs. Successful exploitation can lead to unauthorized disclosure of sensitive files such as configuration files, credentials, or private data, compromising confidentiality. Additionally, attackers may overwrite critical files, potentially causing application malfunction, data corruption, or enabling further compromise, thus impacting integrity and availability. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by attackers who can control fixture names, increasing the attack surface. Organizations relying on Saloon in web-facing applications or services are at risk of data breaches, service disruption, or lateral movement within their infrastructure. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially given the ease of exploitation and high severity rating. Failure to patch could expose organizations to targeted attacks or automated scanning and exploitation attempts once public exploit code becomes available.

To mitigate CVE-2026-33183, organizations should immediately upgrade the Saloon PHP library to version 4.0.0 or later, where the vulnerability is fully addressed. If upgrading is not immediately feasible, implement strict input validation on any user or attacker-controlled data used as fixture names, ensuring they do not contain path traversal sequences, path separators, or null bytes. Employ allowlisting of acceptable characters and patterns for fixture names. Additionally, enforce file system permissions to restrict the application process's access to only necessary directories and files, minimizing the impact of potential traversal. Use runtime application self-protection (RASP) or web application firewalls (WAF) to detect and block suspicious path traversal attempts. Conduct thorough code reviews and security testing to identify any other areas where unvalidated file paths might be used. Finally, monitor logs for unusual file access patterns that may indicate exploitation attempts.