CVE-2026-33942: CWE-502: Deserialization of Untrusted Data in saloonphp saloon
CVE-2026-33942 is a high-severity vulnerability in the saloonphp saloon PHP library versions prior to 4. 0. 0. It involves unsafe deserialization of untrusted data in the AccessTokenAuthenticator::unserialize() method, which uses PHP's unserialize() with allowed_classes set to true. An attacker controlling the serialized input can inject malicious objects that trigger PHP magic methods, potentially leading to remote code execution when combined with common dependencies like Monolog. The vulnerability is fixed in version 4. 0. 0 by removing PHP serialization from the affected class.
AI Analysis
Technical Summary
Saloonphp saloon versions before 4.0.0 use PHP's unserialize() function unsafely in AccessTokenAuthenticator::unserialize() with allowed_classes enabled, allowing attackers who can control serialized token data to inject malicious objects. This object injection can trigger PHP magic methods (__wakeup, __destruct) and, in environments with certain dependencies, can be chained to achieve remote code execution. The official fix in version 4.0.0 eliminates the use of PHP serialization in this context, requiring manual handling of authenticator state storage and resolution.
Potential Impact
Exploitation of this vulnerability can lead to object injection and potentially remote code execution on systems using vulnerable versions of saloonphp saloon. This could allow attackers to execute arbitrary code without authentication or user interaction. The CVSS 4.0 score of 8.1 reflects high impact with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
A fix is available in saloonphp saloon version 4.0.0, which removes unsafe PHP serialization from the AccessTokenAuthenticator class. Users should upgrade to version 4.0.0 or later to remediate this vulnerability. There are no vendor advisories indicating alternative mitigations or that no action is required.
CVE-2026-33942: CWE-502: Deserialization of Untrusted Data in saloonphp saloon
Description
CVE-2026-33942 is a high-severity vulnerability in the saloonphp saloon PHP library versions prior to 4. 0. 0. It involves unsafe deserialization of untrusted data in the AccessTokenAuthenticator::unserialize() method, which uses PHP's unserialize() with allowed_classes set to true. An attacker controlling the serialized input can inject malicious objects that trigger PHP magic methods, potentially leading to remote code execution when combined with common dependencies like Monolog. The vulnerability is fixed in version 4. 0. 0 by removing PHP serialization from the affected class.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Saloonphp saloon versions before 4.0.0 use PHP's unserialize() function unsafely in AccessTokenAuthenticator::unserialize() with allowed_classes enabled, allowing attackers who can control serialized token data to inject malicious objects. This object injection can trigger PHP magic methods (__wakeup, __destruct) and, in environments with certain dependencies, can be chained to achieve remote code execution. The official fix in version 4.0.0 eliminates the use of PHP serialization in this context, requiring manual handling of authenticator state storage and resolution.
Potential Impact
Exploitation of this vulnerability can lead to object injection and potentially remote code execution on systems using vulnerable versions of saloonphp saloon. This could allow attackers to execute arbitrary code without authentication or user interaction. The CVSS 4.0 score of 8.1 reflects high impact with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
A fix is available in saloonphp saloon version 4.0.0, which removes unsafe PHP serialization from the AccessTokenAuthenticator class. Users should upgrade to version 4.0.0 or later to remediate this vulnerability. There are no vendor advisories indicating alternative mitigations or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T19:50:52.104Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c4854ef4197a8e3b9c70d2
Added to database: 3/26/2026, 1:01:02 AM
Last enriched: 4/3/2026, 1:15:40 PM
Last updated: 5/10/2026, 10:50:47 AM
Views: 91
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.