CVE-2026-33182
Server-Side Request Forgery in Saloon PHP Library Before
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saloon | saloon | to 4.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33182 is a vulnerability in the Saloon PHP library versions prior to 4.0.0 related to how request URLs are constructed. Saloon combines a connector's base URL with a request endpoint, but if the endpoint is a valid absolute URL, the library uses that URL directly and ignores the base URL.
This means that if an attacker can influence the endpoint URL (for example, through user input like redirect_uri or callback URL), they can cause the request to be sent to an attacker-controlled server. This can lead to server-side request forgery (SSRF) and leakage of sensitive authentication information such as headers, cookies, or tokens.
The vulnerability was fixed in Saloon version 4.0.0 by rejecting absolute URLs in the endpoint by default, requiring explicit opt-in to allow such URLs.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform server-side request forgery (SSRF), which means they can make the server send requests to arbitrary URLs controlled by the attacker.
Because the request includes authentication headers, cookies, or tokens attached by the connector, attackers can also gain access to sensitive credentials or session information.
This can lead to unauthorized access to internal systems, data leakage, or further exploitation of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your application uses Saloon versions prior to 4.0.0 and if it constructs request URLs where the endpoint can be an absolute URL influenced by user input. Monitoring outgoing requests for unexpected external URLs, especially those that override the base URL, can indicate exploitation attempts.
Since the vulnerability involves Server-Side Request Forgery (SSRF) via absolute URLs in endpoints, you can look for requests sent to external or attacker-controlled domains that should normally be internal or fixed.
Suggested commands to detect suspicious network activity include:
- Using network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests and filter for unusual destination IPs or domains.
- Example tcpdump command to capture HTTP traffic: sudo tcpdump -i any -A 'tcp port 80 or tcp port 443'
- Using application logs to search for requests where the endpoint URL is an absolute URL or differs from the expected base URL.
- Reviewing source code or configuration for usage of Saloon's request endpoint parameters that accept user input, such as redirect_uri or callback URLs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Saloon prior to version 4.0.0 allows Server-Side Request Forgery (SSRF) and credential leakage to attacker-controlled hosts if the endpoint URL is user-controllable. This can lead to unauthorized disclosure of sensitive authentication headers, cookies, or tokens.
Such unauthorized credential leakage and SSRF attacks can compromise the confidentiality and integrity of data, potentially violating data protection requirements under standards like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.
By allowing attackers to redirect authenticated requests to malicious servers, this vulnerability increases the risk of data breaches and unauthorized access, which can result in non-compliance with these regulations.
The fix in Saloon v4.0.0 mitigates this risk by rejecting absolute URLs in endpoints by default, thereby preventing unintended SSRF and credential leakage, helping organizations maintain compliance with security and privacy standards.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade the Saloon PHP library to version 4.0.0 or later, where the issue is fixed by rejecting absolute URLs in request endpoints by default.
Additional mitigation steps include:
- Sanitize and validate all user inputs that influence request endpoints, such as redirect_uri or callback URLs, to prevent injection of absolute URLs.
- Review and update your code to explicitly opt-in to base URL overrides only when necessary, using the new allowBaseUrlOverride flag in Saloon v4.
- Audit your application for any usage of absolute URLs in endpoints and refactor to use relative endpoints or safe URL construction.
- Follow the official upgrade instructions: update composer dependencies to "saloonphp/saloon": "^4.0" and run composer update.