Description
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion
Action: Patch Now
AI Analysis

Impact

Saleor, an e‑commerce platform, contains a GraphQL resource exhaustion flaw that allows an attacker to send numerous mutations or queries in a single request through aliases or mutation chaining. The flaw enables abuse of server resources, potentially leading to denial of service and compromising availability. The weakness is classified as CWE-770, entitled The system has insufficient total resource limits. The main consequence is that an attacker can exhaust CPU, memory, or other server limits, resulting in service disruption.

Affected Systems

Vendors affected are Saleor for the Saleor e‑commerce platform. The issue is present in all releases from 2.0.0 up to just before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. The vulnerability is remedied by upgrading to 3.23.0a3 or the corresponding patched releases 3.22.47, 3.21.54, or 3.20.118.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability has high severity. The EPSS score is not available and it is not listed in CISA’s KEV catalog, indicating that a documented exploit is not publicly known. According to the description, the most likely attack vector is a remote GraphQL API call over HTTP or HTTPS; an attacker can perform the exploitation simply by sending a crafted request from any external source. No authentication is required beyond having access to the GraphQL endpoint, and the exploitation can be done with unauthenticated or low‑privilege accounts if the API is exposed.

Generated by OpenCVE AI on April 8, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saleor to version 3.23.0a3 or later, or to the corresponding patched releases 3.22.47, 3.21.54, or 3.20.118.
  • Apply application‑level rate limiting to the GraphQL API to constrain the number of operations per request and the total number of concurrent requests.
  • Restrict access to the GraphQL endpoint so that only authorized users or trusted network ranges can reach it.
  • Monitor server resource utilization and set alerts for abnormal spikes that may indicate abuse of the GraphQL interface.

Generated by OpenCVE AI on April 8, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Saleor
Saleor saleor
Vendors & Products Saleor
Saleor saleor
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Title Saleor has a resource exhaustion vulnerability in GraphQL queries
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Saleor Saleor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:21:37.796Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35401

cve-icon Vulnrichment

Updated: 2026-04-08T19:21:33.887Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:23.740

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-35401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:51Z

Weaknesses