canto-saas-api CVE-2026-55375
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Log and APM systems are network-accessible (AV:N); exploiting them requires existing log-read privilege (PR:L) and is not trivially achievable (AC:H); only confidentiality is impacted.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
In affected versions, the OAuth2 token request sends app_id, app_secret, refresh_token and code as URL query parameters of the POST request to https://oauth.<domain>/oauth/api/oauth2/token. Request URLs are commonly recorded in access logs, proxy logs and APM traces, so the application secret and refresh token can be persisted in plain text outside the application's control.
In addition, when the token request fails, the Guzzle exception message - which contains the full request URI including the credentials - was passed unmodified into the AuthorizationFailedException thrown by OAuth2::obtainAccessToken(). Applications that log exceptions or forward them to error trackers (e.g. Sentry) may therefore have recorded the app secret in their logs.
Impact
An attacker with access to web server logs, proxy logs, APM tracing data or application error logs of a consumer of this library can obtain the Canto app_secret, refresh_token or authorization code and use them to obtain access tokens for the Canto tenant.
Patches
Fixed in 3.0.0:
- OAuth credentials are sent in the form-encoded POST body instead of the URL
query string (RFC 6749 §2.3.1). OAuth2Request::getQueryParams() now returns null; the parameters are available via getFormParams().
- Exception messages are sanitized before being rethrown: the values of
app_secret, refresh_token and code are masked (including url-encoded, differently cased and JSON-embedded variants).
Workarounds
If you cannot upgrade:
- Treat web server, proxy and APM logs of systems performing Canto OAuth
requests as secret material and restrict access to them.
- Catch
AuthorizationFailedExceptionin your application and strip the query
string from the message before logging or forwarding it.
If your logs may have been exposed, rotate the affected Canto app secret.
AnalysisAI
OAuth2 credential exposure in the jleehr/canto-saas-api PHP Composer library (versions ≤ 2.0.0) allows any party with read access to web server logs, proxy logs, APM traces, or error tracking platforms to harvest Canto app_secret, refresh_token, and authorization code values in plaintext. The library violates RFC 6749 §2.3.1 by transmitting these credentials as URL query parameters on POST requests to the Canto OAuth token endpoint, rather than in the form-encoded POST body - causing them to be recorded by default in virtually every HTTP logging layer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an attacker have read access to at least one of: web server access logs (nginx, Apache), reverse proxy or load balancer logs (AWS ALB, Cloudflare), APM tracing data (Datadog, New Relic), or application error tracker data (Sentry) for a system that runs any version ≤ 2.0.0 of jleehr/canto-saas-api. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, score 5.3) is well-calibrated: the network vector reflects that logs and error trackers are commonly accessed over the network, AC:H reflects that an attacker must first obtain read access to the target organization's log infrastructure or error tracking platform, and PR:L reflects that some form of existing access privilege is required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with read access to an nginx access log, an AWS S3 bucket containing ALB access logs, or a Sentry project used by the victim application searches for POST requests to the Canto OAuth token endpoint URL and extracts the app_secret, refresh_token, or authorization code from the query string embedded in the logged URL. Using standard curl or a Guzzle-based script, the attacker submits these credentials directly to the Canto OAuth token endpoint to obtain a valid access token, then uses it to enumerate and exfiltrate assets from the victim's Canto tenant. … |
| Remediation | The primary remediation is to upgrade jleehr/canto-saas-api to version 3.0.0 or later via Composer (composer require jleehr/canto-saas-api:^3.0.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-37pm-83g7-r22v