Skip to main content

Saleor EUVDEUVD-2026-20527

| CVE-2026-33756 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-08 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 20, 2026 - 20:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:02 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.21.54,3.20.118,3.23.0a3
EUVD ID Assigned
Apr 08, 2026 - 18:16 euvd
EUVD-2026-20527
Analysis Generated
Apr 08, 2026 - 18:16 vuln.today
CVE Published
Apr 08, 2026 - 17:07 nvd
HIGH 7.5

DescriptionGitHub Advisory

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

AnalysisAI

Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching. Unauthenticated remote attackers can submit a single HTTP request containing an unbounded array of GraphQL operations, bypassing per-query complexity controls to exhaust server resources and render the platform unavailable. Vendor-released patches are available across all affected major versions (3.20.118, 3.21.54, 3.22.47, 3.23.0a3). No public exploit identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N).

Technical ContextAI

Saleor implements GraphQL query batching, a common optimization allowing clients to submit multiple operations in a single HTTP POST request as a JSON array. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling) - specifically, the absence of an upper bound on array size. While individual GraphQL queries had complexity limits to prevent resource exhaustion, the batching mechanism allowed attackers to submit thousands of operations in one request, multiplying resource consumption beyond intended safeguards. This affects the GraphQL execution engine's request parsing and operation scheduling logic. The affected product (cpe:2.3:a:saleor:saleor) is a Python-based headless e-commerce framework commonly deployed in high-traffic retail environments where availability is business-critical.

RemediationAI

Upgrade to patched Saleor versions immediately: 3.20.118 for the 3.20.x branch, 3.21.54 for 3.21.x, 3.22.47 for 3.22.x, or 3.23.0a3 for the 3.23 alpha series. Vendor advisory at https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp contains migration guidance. Patches implement configurable limits on the number of GraphQL operations per request (commits e42aa4d6e588982e, cdb66da97abb7c86, d6a94e95bd77f3f733, f0371bdd4cafcc841, 7be352fa8c35875d). As an interim workaround before patching, deploy reverse proxy or WAF rules to limit HTTP POST body size to GraphQL endpoints (typically /graphql/) to a reasonable threshold (e.g., 1MB), or implement upstream rate limiting per source IP to constrain request frequency. Ensure application-level monitoring alerts on abnormal GraphQL request patterns (large payload sizes, high operation counts).

More in Saleor

View all
CVE-2022-0932 MEDIUM POC
6.5 Mar 11

Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. Rated medium severity (CVSS 6.5), this vulnerab

CVE-2019-1010304 MEDIUM POC
5.3 Jul 15

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Rated medium severity (CVSS 5.3),

CVE-2019-13594 HIGH
8.8 Jul 14

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers

CVE-2026-24136 HIGH
7.5 Jan 24

Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform ve

CVE-2026-35401 HIGH
7.5 Apr 08

GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-bas

CVE-2020-15085 MEDIUM
6.1 Jun 30

In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the

CVE-2026-35407 MEDIUM
5.9 Apr 08

Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the acc

CVE-2026-23499 MEDIUM
5.4 Jan 21

Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG

CVE-2024-31205 MEDIUM
5.4 Apr 08

Saleor is an e-commerce platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authe

CVE-2024-29888 MEDIUM
5.4 Mar 27

Saleor is an e-commerce platform that serves high-volume companies. Rated medium severity (CVSS 5.4), this vulnerability

CVE-2023-32694 MEDIUM
5.4 May 25

Saleor Core is a composable, headless commerce API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exp

CVE-2026-39851 MEDIUM
5.3 Apr 08

Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestE

Share

EUVD-2026-20527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy