Summary In affected versions, "Request::buildRequestUrl()" inserts path variables into the request URL without URL encoding ("implode('/', $pathVariables)"). All request classes implementing "getPathVariables()" are affected, e.g. "GetContentDetailsRequest" ("scheme", "contentId"). If a consuming application passes untrusted input (such as an ID taken from an HTTP request parameter) as a path variable, characters like "../", "?" or "#" are sent verbatim and can change the path of the resulting API request. Impact An attacker who controls a path variable value can redirect the library's authenticated request — the Bearer access token is attached in "AbstractEndpoint::sendRequest()" — to a different API endpoint of the same Canto instance, causing unintended reads or writes with the privileges of the configured app. The impact depends on how the consuming application sources path variable values; applications that only pass trusted, validated IDs are not exploitable. Patches Fixed in 3.0.0: every path segment is encoded with "rawurlencode()" before being inserted into the request URL. Workarounds If you cannot upgrade, validate untrusted values before passing them to request classes, e.g. enforce an allowlist pattern such as "^[A-Za-z0-9_-]+$" for content IDs and schemes.