Deserialization in Saloonphp Saloon

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed…

Vulnerability class: Insecure Deserialization

EPSS: 0.002 (45.5th percentile) — read the EPSS interpretation.

Affected products

Saloonphp Saloon — versions < 4.0.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9 (x_refsource_CONFIRM)
https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4 (x_refsource_MISC)