CVE-2026-33182: Server-Side Request Forgery and Credential Leakage in Saloon PHP

Saloon is a PHP library for building API integrations and Software Development Kits (SDKs). It abstracts HTTP requests and manages connector-level state, including authentication tokens, headers, and session cookies. Developers define a base URL and default credentials for a specific third-party API, expecting all subsequent requests to route through this trusted destination.

The vulnerability occurs when Saloon processes dynamically generated request endpoints. If a developer allows user-supplied data to dictate the endpoint, the library fails to restrict the final destination to the configured base URL. This logic flaw permits an attacker to redirect outbound HTTP requests to infrastructure under their direct control.

Because Saloon automatically attaches the connector's global state to every outbound request, this redirection results in immediate credential exposure. The library inadvertently packages the valid authorization headers intended for the trusted API and transmits them to the attacker's server.

The core issue resides in the Saloon\Helpers\URLHelper::join() method, which is utilized by the PendingRequest class to construct the final request URI. Prior to version 4.0.0, this method evaluated the provided endpoint string to determine if it was already a valid absolute URL. If the validation check passed, the method returned the absolute URL immediately.

This logic completely discarded the trusted base URL defined within the Saloon connector. Consequently, any state attached to the PendingRequest instance was forwarded to the new destination. The library lacked any structural boundary to separate credentials intended for the primary connector from those required by the specific request.

Since connectors typically apply authentication headers globally, these credentials accompanied the misdirected request. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) because the application fails to validate the upstream destination before dispatching the HTTP payload.

The vulnerable implementation simply checked the endpoint format and prioritized it over the base URL. The logic was dangerously simplistic and relied entirely on the developer to sanitize inputs prior to invoking the library methods.

// Pre-patch vulnerability in URLHelper::join()
public static function join(string $baseUrl, string $endpoint): string
{
    if (static::isValidUrl($endpoint)) {
        return $endpoint;
    }
    // Normal relative joining logic follows...
}

The remediation in version 4.0.0 modifies the library to enforce a strict deny-by-default policy for absolute URLs. The URLHelper::join() method was updated to throw an InvalidArgumentException if an absolute URL is detected in the endpoint while a base URL is present.

Developers must now explicitly define the allowBaseUrlOverride boolean property on the Connector, Request, or OAuth configuration. The library enforces a strict hierarchy to resolve this flag, checking the Request configuration first, followed by the OAuth configuration, and finally the Connector level. This explicit opt-in mechanism eliminates the risk of accidental overrides via unvalidated input.

Exploitation requires a specific architectural pattern where application logic passes unsanitized user input into a Saloon Request class. The attacker targets endpoints that derive their return value from this input, such as dynamic callback URLs or redirect URIs. The attacker submits an absolute URL pointing to an external server they control, such as https://attacker.example.com/capture.

When the application processes the request, Saloon constructs the outbound HTTP payload. The PendingRequest object compiles all defined headers, including Bearer tokens or API keys bound to the connector. The library then issues the HTTP request to the attacker's server instead of the intended API provider.

The attacker monitors their server logs to extract the leaked credentials from the incoming request headers. This process requires zero authentication to the host application and leaves minimal forensic evidence beyond standard access logs.

The primary impact of CVE-2026-33182 is a severe compromise of confidentiality. Attackers who successfully exploit this vulnerability obtain highly sensitive API credentials and session tokens. These stolen credentials grant the attacker unauthorized access to the upstream third-party services integrated with the application.

Depending on the privileges associated with the leaked tokens, attackers can manipulate data, trigger unauthorized transactions, or pivot into other connected systems. The impact extends beyond the immediate application, potentially compromising entire external infrastructure environments.

> [!NOTE] > While the host application's local database remains intact, the secondary compromise of external service accounts often results in severe financial or reputational damage.

The CVSS 4.0 score of 6.6 accurately reflects the high confidentiality impact coupled with the lack of direct integrity or availability impacts on the host application itself. The network-based attack vector requires no authentication, lowering the barrier to entry for exploitation.

System administrators and developers must upgrade the Saloon PHP library to version 4.0.0 or later to eliminate the vulnerability. This release enforces the secure-by-default URL handling behavior and prevents arbitrary endpoint overrides. Developers should audit all custom Request classes to identify instances where the resolveEndpoint() method processes user-supplied data.

If an application legitimately requires dynamic base URLs, developers must explicitly enable the allowBaseUrlOverride property. This configuration must only be used in conjunction with strict input validation or hardcoded allowlists. Enabling this feature globally on a Connector is strongly discouraged.

Version 4.0.0 also includes additional security hardening measures beyond the SSRF patch. The maintainers implemented path normalization in the Storage and Fixture helpers to prevent directory traversal attacks. Furthermore, the AccessTokenAuthenticator class was updated to mitigate potential PHP Object Injection vulnerabilities by removing its serialization methods.