GHSA-9qfv-wgh2-m6p8MediumCVSS 4.8

canto-saas-api: Authenticated API requests can be redirected via unencoded path variables

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

In affected versions, Request::buildRequestUrl() inserts path variables into the request URL without URL encoding (implode('/', $pathVariables)). All request classes implementing getPathVariables() are affected, e.g. GetContentDetailsRequest (scheme, contentId).

If a consuming application passes untrusted input (such as an ID taken from an HTTP request parameter) as a path variable, characters like ../, ? or # are sent verbatim and can change the path of the resulting API request.

Impact

An attacker who controls a path variable value can redirect the library's authenticated request — the Bearer access token is attached in AbstractEndpoint::sendRequest() — to a different API endpoint of the same Canto instance, causing unintended reads or writes with the privileges of the configured app. The impact depends on how the consuming application sources path variable values; applications that only pass trusted, validated IDs are not exploitable.

Patches

Fixed in 3.0.0: every path segment is encoded with rawurlencode() before being inserted into the request URL.

Workarounds

If you cannot upgrade, validate untrusted values before passing them to request classes, e.g. enforce an allowlist pattern such as ^[A-Za-z0-9_-]+$ for content IDs and schemes.

🎯 Affected products1

  • composer/jleehr/canto-saas-api:<= 2.0.0

🔗 References (2)