CVE-2026-33182 (GCVE-0-2026-33182)
Vulnerability from cvelistv5 – Published: 2026-03-26 00:22 – Updated: 2026-03-26 14:18
VLAI?
Title
Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL
Summary
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request—and any authentication headers, cookies, or tokens attached by the connector—was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T14:18:22.841270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:18:29.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saloon",
"vendor": "saloonphp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector\u0027s base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request\u2014and any authentication headers, cookies, or tokens attached by the connector\u2014was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T00:27:58.139Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/saloonphp/saloon/security/advisories/GHSA-c83f-3xp6-hfcp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-c83f-3xp6-hfcp"
},
{
"name": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"
}
],
"source": {
"advisory": "GHSA-c83f-3xp6-hfcp",
"discovery": "UNKNOWN"
},
"title": "Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33182",
"datePublished": "2026-03-26T00:22:14.472Z",
"dateReserved": "2026-03-17T22:16:36.720Z",
"dateUpdated": "2026-03-26T14:18:29.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33182",
"date": "2026-04-15",
"epss": "0.00028",
"percentile": "0.07845"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33182\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T01:16:27.043\",\"lastModified\":\"2026-03-30T16:51:45.823\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector\u0027s base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request\u2014and any authentication headers, cookies, or tokens attached by the connector\u2014was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis.\"},{\"lang\":\"es\",\"value\":\"Saloon es una biblioteca PHP que proporciona a los usuarios herramientas para construir integraciones de API y SDKs. Antes de la versi\u00f3n 4.0.0, al construir la URL de la petici\u00f3n, Saloon combinaba la URL base del conector con el endpoint de la petici\u00f3n. Si el endpoint era una URL absoluta v\u00e1lida, el c\u00f3digo usaba esa URL tal cual e ignoraba la URL base. La petici\u00f3n \u2014y cualquier encabezado de autenticaci\u00f3n, cookies o tokens adjuntos por el conector\u2014 se enviaba entonces al host controlado por el atacante. Si el endpoint pod\u00eda ser influenciado por la entrada del usuario o la configuraci\u00f3n (p. ej., redirect_uri, URL de callback), esto permit\u00eda la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) y/o la fuga de credenciales a un host de terceros. La soluci\u00f3n en la versi\u00f3n 4.0.0 es rechazar las URLs absolutas en el endpoint: URLHelper::join() lanza InvalidArgumentException cuando el endpoint es una URL absoluta v\u00e1lida, a menos que se permita expl\u00edcitamente, lo que requiere que los llamadores opten por la funcionalidad por conector o por petici\u00f3n.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.0.0\",\"matchCriteriaId\":\"2DA20E08-DBB0-4ACD-BED9-550F3ED97E3D\"}]}]}],\"references\":[{\"url\":\"https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/saloonphp/saloon/security/advisories/GHSA-c83f-3xp6-hfcp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33182\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T14:18:22.841270Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T14:18:26.473Z\"}}], \"cna\": {\"title\": \"Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL\", \"source\": {\"advisory\": \"GHSA-c83f-3xp6-hfcp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"saloonphp\", \"product\": \"saloon\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/saloonphp/saloon/security/advisories/GHSA-c83f-3xp6-hfcp\", \"name\": \"https://github.com/saloonphp/saloon/security/advisories/GHSA-c83f-3xp6-hfcp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4\", \"name\": \"https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector\u0027s base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request\\u2014and any authentication headers, cookies, or tokens attached by the connector\\u2014was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522: Insufficiently Protected Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T00:27:58.139Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33182\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T14:18:29.802Z\", \"dateReserved\": \"2026-03-17T22:16:36.720Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T00:22:14.472Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…