Skip to main content

canto-saas-api CVE-2026-55374

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-19 https://github.com/jleehr/canto-saas-api GHSA-9qfv-wgh2-m6p8
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

AC:H because exploitation requires the consuming application to pass unvalidated external input to path variables; PR:N as the attacker has no direct library access; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 14:53 vuln.today
Analysis Generated
Jun 19, 2026 - 14:53 vuln.today

DescriptionGitHub Advisory

Summary

In affected versions, Request::buildRequestUrl() inserts path variables into the request URL without URL encoding (implode('/', $pathVariables)). All request classes implementing getPathVariables() are affected, e.g. GetContentDetailsRequest (scheme, contentId).

If a consuming application passes untrusted input (such as an ID taken from an HTTP request parameter) as a path variable, characters like ../, ? or # are sent verbatim and can change the path of the resulting API request.

Impact

An attacker who controls a path variable value can redirect the library's authenticated request - the Bearer access token is attached in AbstractEndpoint::sendRequest() - to a different API endpoint of the same Canto instance, causing unintended reads or writes with the privileges of the configured app. The impact depends on how the consuming application sources path variable values; applications that only pass trusted, validated IDs are not exploitable.

Patches

Fixed in 3.0.0: every path segment is encoded with rawurlencode() before being inserted into the request URL.

Workarounds

If you cannot upgrade, validate untrusted values before passing them to request classes, e.g. enforce an allowlist pattern such as ^[A-Za-z0-9_-]+$ for content IDs and schemes.

AnalysisAI

Unencoded path variable injection in jleehr/canto-saas-api (versions ≤ 2.0.0) allows URL path traversal sequences and delimiter characters to alter the destination endpoint of outbound API requests constructed by Request::buildRequestUrl(). When a consuming PHP application passes untrusted user input directly as path variables - such as scheme or contentId in GetContentDetailsRequest - characters including ../, ?, and # are inserted verbatim, silently redirecting the request to an unintended Canto API endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted path traversal value via HTTP input
Delivery
Application passes value unvalidated to GetContentDetailsRequest path variable
Exploit
buildRequestUrl() assembles malformed API URL with unencoded traversal sequence
Execution
AbstractEndpoint::sendRequest() attaches Bearer token to redirected request
Persist
Unintended Canto API endpoint receives authenticated request
Impact
Attacker achieves unintended read or write under app privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires that the consuming PHP application accepts external, attacker-controlled input (for example, from an HTTP request parameter or form field) and passes it without allowlist validation directly to a request class that implements `getPathVariables()` - such as `GetContentDetailsRequest` via its `scheme` or `contentId` constructor arguments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N appropriately reflects the conditional nature of exploitation: AC:H captures that the attack succeeds only when the consuming application fails to validate untrusted input before passing it to path variable parameters, which is not a universal deployment condition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a web application that calls `GetContentDetailsRequest` using a `contentId` value sourced from a user-supplied HTTP query parameter without validation. The attacker submits a request with a crafted `contentId` such as `abc/../admin/permissions#` which, when inserted verbatim by `implode('/', $pathVariables)`, resolves the outbound API URL to an unintended administrative endpoint on the Canto instance. …
Remediation Upgrade `jleehr/canto-saas-api` to version 3.0.0, which resolves the issue by encoding every path segment with `rawurlencode()` in `Request::buildRequestUrl()` before URL assembly. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy