Description
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
Published: 2026-01-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an Insecure Direct Object Reference in Saleor’s GraphQL API that allows an unauthenticated user to retrieve order information, including personally identifiable information created before version 3.2.0. The flaw arises from insufficient authorization checks on the order() GraphQL query, enabling attackers to read sensitive data that should be restricted to authenticated staff accounts.

Affected Systems

Saleor e‑commerce platform, vendors: Saleor, product: Saleor. Affected releases include 3.2.0 through 3.20.109, 3.21.0‑a.0 through 3.21.44, and 3.22.0‑a.0 through 3.22.28.

Risk and Exploitability

The CVSS vector indicates a high severity of 8.7. Exploitation probability remains low (EPSS < 1 %) and the vulnerability is not listed in the CISA KEV catalog. Attack opportunity exists through the public GraphQL endpoint without authentication, relying on the IDOR weakness (CWE‑639).

Generated by OpenCVE AI on April 18, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patched Saleor releases: 3.20.110, 3.21.45, or 3.22.29.
  • If a patch cannot be applied immediately, configure your WAF to block non‑staff users from accessing the order() GraphQL query.
  • Implement proper authorization checks on the GraphQL order resolvers to ensure only authenticated staff can retrieve order data.

Generated by OpenCVE AI on April 18, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Saleor
Saleor saleor
Vendors & Products Saleor
Saleor saleor

Fri, 23 Jan 2026 23:45:00 +0000

Type Values Removed Values Added
Description Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
Title Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Saleor Saleor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T17:10:16.445Z

Reserved: 2026-01-21T18:38:22.474Z

Link: CVE-2026-24136

cve-icon Vulnrichment

Updated: 2026-01-26T17:10:01.219Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T00:15:49.167

Modified: 2026-02-12T16:15:00.550

Link: CVE-2026-24136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses