canto-saas-api CVE-2026-55374
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AC:H because exploitation requires the consuming application to pass unvalidated external input to path variables; PR:N as the attacker has no direct library access; no availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
In affected versions, Request::buildRequestUrl() inserts path variables into the request URL without URL encoding (implode('/', $pathVariables)). All request classes implementing getPathVariables() are affected, e.g. GetContentDetailsRequest (scheme, contentId).
If a consuming application passes untrusted input (such as an ID taken from an HTTP request parameter) as a path variable, characters like ../, ? or # are sent verbatim and can change the path of the resulting API request.
Impact
An attacker who controls a path variable value can redirect the library's authenticated request - the Bearer access token is attached in AbstractEndpoint::sendRequest() - to a different API endpoint of the same Canto instance, causing unintended reads or writes with the privileges of the configured app. The impact depends on how the consuming application sources path variable values; applications that only pass trusted, validated IDs are not exploitable.
Patches
Fixed in 3.0.0: every path segment is encoded with rawurlencode() before being inserted into the request URL.
Workarounds
If you cannot upgrade, validate untrusted values before passing them to request classes, e.g. enforce an allowlist pattern such as ^[A-Za-z0-9_-]+$ for content IDs and schemes.
AnalysisAI
Unencoded path variable injection in jleehr/canto-saas-api (versions ≤ 2.0.0) allows URL path traversal sequences and delimiter characters to alter the destination endpoint of outbound API requests constructed by Request::buildRequestUrl(). When a consuming PHP application passes untrusted user input directly as path variables - such as scheme or contentId in GetContentDetailsRequest - characters including ../, ?, and # are inserted verbatim, silently redirecting the request to an unintended Canto API endpoint. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the consuming PHP application accepts external, attacker-controlled input (for example, from an HTTP request parameter or form field) and passes it without allowlist validation directly to a request class that implements `getPathVariables()` - such as `GetContentDetailsRequest` via its `scheme` or `contentId` constructor arguments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N appropriately reflects the conditional nature of exploitation: AC:H captures that the attack succeeds only when the consuming application fails to validate untrusted input before passing it to path variable parameters, which is not a universal deployment condition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a web application that calls `GetContentDetailsRequest` using a `contentId` value sourced from a user-supplied HTTP query parameter without validation. The attacker submits a request with a crafted `contentId` such as `abc/../admin/permissions#` which, when inserted verbatim by `implode('/', $pathVariables)`, resolves the outbound API URL to an unintended administrative endpoint on the Canto instance. … |
| Remediation | Upgrade `jleehr/canto-saas-api` to version 3.0.0, which resolves the issue by encoding every path segment with `rawurlencode()` in `Request::buildRequestUrl()` before URL assembly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9qfv-wgh2-m6p8