Skip to main content

Saleor CVE-2026-39851

| EUVDEUVD-2026-20536 MEDIUM
Observable Response Discrepancy (CWE-204)
2026-04-08 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.20.118,3.22.47,3.23.0a3
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20536
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 17:33 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

AnalysisAI

Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestEmailChange() GraphQL mutation, allowing authenticated attackers to enumerate valid email addresses in the system. The vulnerability affects multiple version branches and is resolved in patched versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. CVSS 5.3 reflects low confidentiality impact with authentication requirement.

Technical ContextAI

The vulnerability resides in Saleor's GraphQL API layer, specifically the requestEmailChange() mutation endpoint. The root cause is classified under CWE-204 (Observable Discrepancy), meaning the API returns different or revealing error messages that leak information about whether an email address exists in the user database. Authenticated users can exploit this by submitting email addresses to the mutation and observing error responses that confirm email existence, enabling user enumeration attacks. The issue affects Saleor's core authentication and user management logic across multiple release branches.

RemediationAI

Upgrade Saleor to patched versions immediately: 3.23.0a3 or later for the 3.23 branch, 3.22.47 or later for 3.22, 3.21.54 or later for 3.21, or 3.20.118 or later for 3.20. If immediate upgrade is not feasible, restrict access to the requestEmailChange() GraphQL mutation endpoint to trusted users only, or implement rate limiting on mutation calls to mitigate enumeration attacks. The upstream fixes are available via commits 7be352fa, cdb66da9, d6a94e95, e42aa4d6, and f0371bdd on the Saleor repository, which standardize error messages to avoid leaking email existence information. Review the advisory at https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7 for version-specific guidance.

More in Saleor

View all
CVE-2022-0932 MEDIUM POC
6.5 Mar 11

Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. Rated medium severity (CVSS 6.5), this vulnerab

CVE-2019-1010304 MEDIUM POC
5.3 Jul 15

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Rated medium severity (CVSS 5.3),

CVE-2019-13594 HIGH
8.8 Jul 14

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers

CVE-2026-33756 HIGH
7.5 Apr 08

Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching.

CVE-2026-24136 HIGH
7.5 Jan 24

Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform ve

CVE-2026-35401 HIGH
7.5 Apr 08

GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-bas

CVE-2020-15085 MEDIUM
6.1 Jun 30

In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the

CVE-2026-35407 MEDIUM
5.9 Apr 08

Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the acc

CVE-2026-23499 MEDIUM
5.4 Jan 21

Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG

CVE-2024-31205 MEDIUM
5.4 Apr 08

Saleor is an e-commerce platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authe

CVE-2024-29888 MEDIUM
5.4 Mar 27

Saleor is an e-commerce platform that serves high-volume companies. Rated medium severity (CVSS 5.4), this vulnerability

CVE-2023-32694 MEDIUM
5.4 May 25

Saleor Core is a composable, headless commerce API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exp

Share

CVE-2026-39851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy