CVE-2026-33183

Description

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:* - VULNERABLE

Saloon < 4.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// PoC for CVE-2026-33183: Path Traversal in Saloon < 4.0.0
// This script simulates how an attacker might exploit the fixture name parameter.

$malicious_fixture_name = "../../../../../etc/passwd"; // Path traversal payload

// In a vulnerable application, this input might come from:
// $_GET['fixture'], $_POST['config'], etc.

// Vulnerable logic (Conceptual):
// $path = $fixture_storage_path . '/' . $malicious_fixture_name;
// file_get_contents($path);

// Result:
// The application attempts to read/write from /etc/passwd instead of the fixture directory.
echo "Payload: " . $malicious_fixture_name . "\n";
echo "Impact: Arbitrary File Read/Write outside the designated fixture directory.";
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33183
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33183
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33183/
[4] VulDB https://vuldb.com/cve/CVE-2026-33183
[5] https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4
[6] https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33183", "sourceIdentifier": "[email protected]", "published": "2026-03-26T01:16:27.210", "lastModified": "2026-03-30T16:48:35.323", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \\, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write)."}, {"lang": "es", "value": "Saloon es una biblioteca de PHP que ofrece a los usuarios herramientas para crear integraciones de API y SDK. Antes de la versión 4.0.0, los nombres de los fixtures se utilizaban para generar rutas de archivo dentro del directorio de fixtures configurado sin validación. Un nombre que contuviera segmentos de ruta (por ejemplo, ../traversal o ../../etc /passwd) daba lugar a una ruta fuera de dicho directorio. Cuando la aplicación leía un fixture (por ejemplo, para simulación) o escribía uno (por ejemplo, al registrar respuestas), podía leer o escribir archivos en cualquier lugar al que el proceso tuviera acceso. Si el nombre del fixture se derivaba de una entrada controlada por el usuario o por un atacante (por ejemplo, parámetros de solicitud o configuración), esto constituía una vulnerabilidad de traversal de ruta y podía dar lugar a la divulgación de archivos confidenciales o a la sobrescritura de archivos críticos. La corrección en la versión 4.0.0 añade validación en la capa de fixtures (rechazando nombres con /, \\, .. o bytes nulos, y restringiéndolos a un conjunto de caracteres seguro) y defensa en profundidad en la capa de almacenamiento (asegurando que la ruta resuelta permanezca bajo el directorio base antes de cualquier lectura o escritura)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0", "matchCriteriaId": "2DA20E08-DBB0-4ACD-BED9-550F3ED97E3D"}]}]}], "refer ... (truncated)