Saloon is a PHP library designed to facilitate API integrations and SDK development. Versions before 4.0.0 contain a critical deserialization vulnerability (CVE-2026-33942) due to the use of PHP's unserialize() function in the AccessTokenAuthenticator::unserialize() method. This method restores OAuth token state from cache or storage using unserialize() with allowed_classes set to true, which permits instantiation of any PHP object during deserialization. An attacker capable of controlling the serialized string—such as by overwriting cached token files or injecting serialized data—can supply a crafted 'gadget' object. When unserialize() processes this input, PHP executes magic methods like __wakeup or __destruct, enabling object injection. In environments that include commonly used libraries such as Monolog, these object injection chains can be exploited to achieve remote code execution (RCE). The vulnerability requires no authentication or user interaction and can be triggered remotely if an attacker can influence the serialized data. The patch in Saloon 4.0.0 removes the use of PHP serialization in the AccessTokenAuthenticator, forcing developers to manually handle token storage and retrieval, thereby eliminating the unsafe deserialization vector.

This vulnerability poses a significant risk to organizations using Saloon versions prior to 4.0.0, especially those that cache OAuth tokens in a manner accessible or modifiable by attackers. Successful exploitation can lead to remote code execution on the affected server, compromising confidentiality, integrity, and availability of systems. Attackers could execute arbitrary code, escalate privileges, pivot within networks, or exfiltrate sensitive data. Since the vulnerability requires no authentication or user interaction and can be triggered remotely, the attack surface is broad. Organizations relying on Saloon for API integrations, particularly in web applications and backend services, face potential full system compromise. The impact is heightened in environments with common PHP dependencies like Monolog that facilitate exploitation chains. Additionally, compromised systems could be used to launch further attacks or serve as footholds in critical infrastructure.

The primary mitigation is to upgrade Saloon to version 4.0.0 or later, which removes unsafe PHP serialization in the AccessTokenAuthenticator class. Until upgrading, organizations should audit and restrict access to any cached OAuth token storage to prevent unauthorized modification. Implement strict file permissions and integrity monitoring on token cache files. Avoid using PHP's unserialize() on untrusted data and consider replacing serialization with safer formats like JSON. Review and limit dependencies that could be leveraged in gadget chains, such as Monolog, or update them to versions hardened against object injection. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with rules to detect and block suspicious serialized payloads. Conduct code reviews and penetration testing focused on deserialization vulnerabilities. Finally, monitor logs for unusual deserialization activity or unexpected object instantiations.