Skip to main content

Saleor CVE-2026-24136

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-01-24 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:59 vuln.today
Patch released
Feb 12, 2026 - 16:15 nvd
Patch available
CVE Published
Jan 24, 2026 - 00:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.

AnalysisAI

Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform versions 3.2.0-3.22.28 to retrieve sensitive customer information including personally identifiable data in plain text through the order() GraphQL query. This high-severity vulnerability (CVSS 7.5) affects orders across multiple version branches and has been patched in releases 3.20.110, 3.21.45, and 3.22.29. Organizations unable to patch immediately should implement WAF rules to restrict non-staff access to order queries.

Technical ContextAI

This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) affects Saleor. Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in Saleor

View all
CVE-2022-0932 MEDIUM POC
6.5 Mar 11

Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. Rated medium severity (CVSS 6.5), this vulnerab

CVE-2019-1010304 MEDIUM POC
5.3 Jul 15

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Rated medium severity (CVSS 5.3),

CVE-2019-13594 HIGH
8.8 Jul 14

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers

CVE-2026-33756 HIGH
7.5 Apr 08

Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching.

CVE-2026-35401 HIGH
7.5 Apr 08

GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-bas

CVE-2020-15085 MEDIUM
6.1 Jun 30

In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the

CVE-2026-35407 MEDIUM
5.9 Apr 08

Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the acc

CVE-2026-23499 MEDIUM
5.4 Jan 21

Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG

CVE-2024-31205 MEDIUM
5.4 Apr 08

Saleor is an e-commerce platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authe

CVE-2024-29888 MEDIUM
5.4 Mar 27

Saleor is an e-commerce platform that serves high-volume companies. Rated medium severity (CVSS 5.4), this vulnerability

CVE-2023-32694 MEDIUM
5.4 May 25

Saleor Core is a composable, headless commerce API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exp

CVE-2026-39851 MEDIUM
5.3 Apr 08

Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestE

Share

CVE-2026-24136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy