Skip to main content

canto-saas-api CVE-2026-55375

MEDIUM
Error Message Information Leak (CWE-209)
2026-06-19 https://github.com/jleehr/canto-saas-api GHSA-37pm-83g7-r22v
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Log and APM systems are network-accessible (AV:N); exploiting them requires existing log-read privilege (PR:L) and is not trivially achievable (AC:H); only confidentiality is impacted.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 14:54 vuln.today
Analysis Generated
Jun 19, 2026 - 14:54 vuln.today

DescriptionGitHub Advisory

Summary

In affected versions, the OAuth2 token request sends app_id, app_secret, refresh_token and code as URL query parameters of the POST request to https://oauth.<domain>/oauth/api/oauth2/token. Request URLs are commonly recorded in access logs, proxy logs and APM traces, so the application secret and refresh token can be persisted in plain text outside the application's control.

In addition, when the token request fails, the Guzzle exception message - which contains the full request URI including the credentials - was passed unmodified into the AuthorizationFailedException thrown by OAuth2::obtainAccessToken(). Applications that log exceptions or forward them to error trackers (e.g. Sentry) may therefore have recorded the app secret in their logs.

Impact

An attacker with access to web server logs, proxy logs, APM tracing data or application error logs of a consumer of this library can obtain the Canto app_secret, refresh_token or authorization code and use them to obtain access tokens for the Canto tenant.

Patches

Fixed in 3.0.0:

  • OAuth credentials are sent in the form-encoded POST body instead of the URL

query string (RFC 6749 §2.3.1). OAuth2Request::getQueryParams() now returns null; the parameters are available via getFormParams().

  • Exception messages are sanitized before being rethrown: the values of

app_secret, refresh_token and code are masked (including url-encoded, differently cased and JSON-embedded variants).

Workarounds

If you cannot upgrade:

  • Treat web server, proxy and APM logs of systems performing Canto OAuth

requests as secret material and restrict access to them.

  • Catch AuthorizationFailedException in your application and strip the query

string from the message before logging or forwarding it.

If your logs may have been exposed, rotate the affected Canto app secret.

AnalysisAI

OAuth2 credential exposure in the jleehr/canto-saas-api PHP Composer library (versions ≤ 2.0.0) allows any party with read access to web server logs, proxy logs, APM traces, or error tracking platforms to harvest Canto app_secret, refresh_token, and authorization code values in plaintext. The library violates RFC 6749 §2.3.1 by transmitting these credentials as URL query parameters on POST requests to the Canto OAuth token endpoint, rather than in the form-encoded POST body - causing them to be recorded by default in virtually every HTTP logging layer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain read access to application logs or APM/error tracker
Delivery
Search for POST requests to Canto OAuth token endpoint
Exploit
Extract app_secret and refresh_token from URL query string
Execution
Submit harvested credentials to Canto OAuth API
Persist
Obtain valid access token
Impact
Access or exfiltrate Canto tenant resources

Vulnerability AssessmentAI

Exploitation Exploitation requires that an attacker have read access to at least one of: web server access logs (nginx, Apache), reverse proxy or load balancer logs (AWS ALB, Cloudflare), APM tracing data (Datadog, New Relic), or application error tracker data (Sentry) for a system that runs any version ≤ 2.0.0 of jleehr/canto-saas-api. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, score 5.3) is well-calibrated: the network vector reflects that logs and error trackers are commonly accessed over the network, AC:H reflects that an attacker must first obtain read access to the target organization's log infrastructure or error tracking platform, and PR:L reflects that some form of existing access privilege is required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with read access to an nginx access log, an AWS S3 bucket containing ALB access logs, or a Sentry project used by the victim application searches for POST requests to the Canto OAuth token endpoint URL and extracts the app_secret, refresh_token, or authorization code from the query string embedded in the logged URL. Using standard curl or a Guzzle-based script, the attacker submits these credentials directly to the Canto OAuth token endpoint to obtain a valid access token, then uses it to enumerate and exfiltrate assets from the victim's Canto tenant. …
Remediation The primary remediation is to upgrade jleehr/canto-saas-api to version 3.0.0 or later via Composer (composer require jleehr/canto-saas-api:^3.0.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy