CVE-2026-33183
Received Received - Intake
Path Traversal in Saloon PHP Library Allows Arbitrary File Access

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33183
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
saloon saloon to 4.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33183 is a path traversal vulnerability in the Saloon PHP library versions prior to 4.0.0. The issue occurs because fixture names were used directly to build file paths within the configured fixture directory without proper validation.

If a fixture name contained path traversal sequences like "../" or absolute paths such as "../../etc/passwd", the constructed file path could escape the intended fixture directory.

This means that when the application read or wrote a fixture, it could access files anywhere the process had permission, potentially allowing an attacker to read sensitive files or overwrite critical files if the fixture name was derived from user-controlled input.

The vulnerability is addressed in Saloon version 4.0.0 by adding validation to reject unsafe fixture names and by ensuring file operations remain within the base directory.

Impact Analysis

This vulnerability can allow an attacker to read sensitive files or overwrite critical files on the system where the Saloon library is used.

If fixture names are derived from user or attacker-controlled input, the attacker could exploit this to access or modify files outside the intended directory.

Such unauthorized file access or modification could lead to disclosure of sensitive information, data corruption, or disruption of application functionality.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Saloon PHP package to version 4.0.0 or later.

Version 4.0.0 includes important fixes that validate fixture names to reject unsafe characters and path traversal sequences, and also ensure that file operations remain within the intended fixture directory.

Users should refer to the official upgrade guide to properly apply the update and secure their systems.

Compliance Impact

This vulnerability allows an attacker to read or write arbitrary files accessible by the process, potentially leading to disclosure of sensitive information or overwriting critical files.

Such unauthorized access or modification of sensitive data could result in non-compliance with data protection regulations and standards like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive data, impacting compliance with these common standards.

Detection Guidance

This vulnerability involves path traversal through fixture names used in the Saloon PHP package prior to version 4.0.0. Detection involves identifying if any fixture names contain path traversal sequences such as '../', '..\', or absolute paths that escape the intended fixture directory.

To detect exploitation attempts or vulnerable usage on your system, you can search for fixture names or file paths containing suspicious path traversal patterns in logs or configuration files.

  • Use grep or similar tools to search for '../' or '..\' in fixture-related files or logs, for example: grep -r "\.\./" /path/to/fixture/directory
  • Check application logs or request parameters for fixture names containing path traversal sequences.
  • Monitor file system access patterns for unexpected reads or writes outside the fixture directory.

Since the vulnerability is in the application layer, there are no specific network commands to detect it directly, but monitoring application inputs and file accesses for path traversal patterns is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart