EUVD-2026-20532CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Analysis
GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-based or chained mutation requests. Attackers craft single API calls containing excessive GraphQL operations (mutations/queries) via aliasing or chaining, exhausting server resources and disrupting service availability. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Saleor instances and confirm versions in production; document which systems expose GraphQL endpoints publicly. Within 7 days: Implement rate limiting and query depth/complexity restrictions on GraphQL endpoints using Saleor's built-in configuration; consider IP whitelisting for API consumers. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today