Description
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account’s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Published: 2026-04-08
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Email Change
Action: Patch
AI Analysis

Impact

A business-logic and authorization defect in Saleor’s account-email-change workflow allows a token generated for one user to be applied while logged in as a different user. Because the confirmation token is not verified against the currently authenticated account, the second account’s email address is overwritten with the new_email value from the token. This results in an unauthorized change of a user’s email address, potentially disrupting account recovery or notification processes; this consequence is inferred from the nature of the change.

Affected Systems

The vulnerability affects Saleor e-commerce platform versions starting from 2.10.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 contain the fix and later releases inherit the patch.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. An attacker must possess a valid email-change confirmation token for one account and be authenticated as a different account to exploit the flaw. The attack can be carried out through the normal account-management interface, making it a relatively straightforward authenticated privilege escalation within the platform.

Generated by OpenCVE AI on April 8, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saleor to version 3.23.0a3 or later, which includes the token validation fix.
  • Confirm that the deployed instance is on a patched release; review the release notes or version metadata.
  • If an upgrade is not immediately possible, monitor for unexpected email-change activity and consider disabling or restricting the email-change feature until a patch is applied.

Generated by OpenCVE AI on April 8, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Saleor
Saleor saleor
Vendors & Products Saleor
Saleor saleor

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account’s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Title Saleor has Cross-Account Email Change via Unbound Confirmation Token
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Saleor Saleor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T17:24:39.716Z

Reserved: 2026-04-02T17:03:42.075Z

Link: CVE-2026-35407

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:24.040

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-35407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:04Z

Weaknesses