GHSA-37PM-83G7-R22V
Vulnerability from github – Published: 2026-06-19 14:16 – Updated: 2026-06-19 14:16Summary
In affected versions, the OAuth2 token request sends app_id, app_secret,
refresh_token and code as URL query parameters of the POST request to
https://oauth.<domain>/oauth/api/oauth2/token. Request URLs are commonly
recorded in access logs, proxy logs and APM traces, so the application secret
and refresh token can be persisted in plain text outside the application's
control.
In addition, when the token request fails, the Guzzle exception message —
which contains the full request URI including the credentials — was passed
unmodified into the AuthorizationFailedException thrown by
OAuth2::obtainAccessToken(). Applications that log exceptions or forward
them to error trackers (e.g. Sentry) may therefore have recorded the app
secret in their logs.
## Impact
An attacker with access to web server logs, proxy logs, APM tracing data or
application error logs of a consumer of this library can obtain the Canto
app_secret, refresh_token or authorization code and use them to obtain
access tokens for the Canto tenant.
## Patches
Fixed in 3.0.0:
- OAuth credentials are sent in the form-encoded POST body instead of the URL
query string (RFC 6749 §2.3.1).
OAuth2Request::getQueryParams()now returnsnull; the parameters are available viagetFormParams(). - Exception messages are sanitized before being rethrown: the values of
app_secret,refresh_tokenandcodeare masked (including url-encoded, differently cased and JSON-embedded variants).
## Workarounds
If you cannot upgrade:
- Treat web server, proxy and APM logs of systems performing Canto OAuth requests as secret material and restrict access to them.
- Catch
AuthorizationFailedExceptionin your application and strip the query string from the message before logging or forwarding it.
If your logs may have been exposed, rotate the affected Canto app secret.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0"
},
"package": {
"ecosystem": "Packagist",
"name": "jleehr/canto-saas-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55375"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T14:16:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n In affected versions, the OAuth2 token request sends `app_id`, `app_secret`,\n `refresh_token` and `code` as URL query parameters of the POST request to\n `https://oauth.\u003cdomain\u003e/oauth/api/oauth2/token`. Request URLs are commonly\n recorded in access logs, proxy logs and APM traces, so the application secret\n and refresh token can be persisted in plain text outside the application\u0027s\n control.\n\n In addition, when the token request fails, the Guzzle exception message \u2014\n which contains the full request URI including the credentials \u2014 was passed\n unmodified into the `AuthorizationFailedException` thrown by\n `OAuth2::obtainAccessToken()`. Applications that log exceptions or forward\n them to error trackers (e.g. Sentry) may therefore have recorded the app\n secret in their logs.\n\n ## Impact\n\n An attacker with access to web server logs, proxy logs, APM tracing data or\n application error logs of a consumer of this library can obtain the Canto\n `app_secret`, `refresh_token` or authorization `code` and use them to obtain\n access tokens for the Canto tenant.\n\n ## Patches\n\n Fixed in 3.0.0:\n\n - OAuth credentials are sent in the form-encoded POST body instead of the URL\n query string (RFC 6749 \u00a72.3.1). `OAuth2Request::getQueryParams()` now\n returns `null`; the parameters are available via `getFormParams()`.\n - Exception messages are sanitized before being rethrown: the values of\n `app_secret`, `refresh_token` and `code` are masked (including url-encoded,\n differently cased and JSON-embedded variants).\n\n ## Workarounds\n\n If you cannot upgrade:\n\n - Treat web server, proxy and APM logs of systems performing Canto OAuth\n requests as secret material and restrict access to them.\n - Catch `AuthorizationFailedException` in your application and strip the query\n string from the message before logging or forwarding it.\n\n If your logs may have been exposed, rotate the affected Canto app secret.",
"id": "GHSA-37pm-83g7-r22v",
"modified": "2026-06-19T14:16:41Z",
"published": "2026-06-19T14:16:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jleehr/canto-saas-api/security/advisories/GHSA-37pm-83g7-r22v"
},
{
"type": "PACKAGE",
"url": "https://github.com/jleehr/canto-saas-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "canto-saas-api: OAuth credentials exposed in URL query string and exception messages"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.