Description
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Saleor allows a client to batch multiple GraphQL operations in a single HTTP request as a JSON array. No upper limit was enforced on the number of operations, which meant an unauthenticated user could submit a single request containing many operations. This bypasses the per‑query complexity limit and can exhaust server resources, leading to degraded performance or a complete denial of service. The weakness is categorized as unbounded resource consumption (CWE‑770).

Affected Systems

The vulnerability affects the Saleor e‑commerce platform. All releases from 2.0.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 are susceptible. Those specific releases have been patched to restrict the maximum number of batched operations.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting that while the condition is not currently widely exploited, it could be leveraged by an attacker with minimal effort. The likely attack vector is an unauthenticated external request, so any system exposed to public traffic could be targeted. Exploiting this requires no special authentication or privilege and only involves sending a crafted batch request to the GraphQL endpoint.

Generated by OpenCVE AI on April 8, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saleor to version 3.23.0a3 or later, or to the patched releases 3.22.47, 3.21.54, or 3.20.118.
  • If an upgrade is not immediately possible, configure a limit on the maximum number of operations in a batched request at the API gateway or load balancer to prevent resource exhaustion.
  • Continuously monitor incoming GraphQL requests for unusually large batch sizes and block or rate‑limit suspicious traffic.

Generated by OpenCVE AI on April 8, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Saleor
Saleor saleor
Vendors & Products Saleor
Saleor saleor

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Title Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Saleor Saleor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:42:28.521Z

Reserved: 2026-03-23T18:30:14.125Z

Link: CVE-2026-33756

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T18:26:00.700

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:38:54Z

Weaknesses