Description
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration
Action: Apply Patch
AI Analysis

Impact

The requestEmailChange mutation in Saleor produced distinct error messages that exposed whether an email address was registered in the system. This allows an attacker to confirm the existence of user accounts simply by submitting a change‑email request and observing the response. The problem is an information‑exposure weakness (CWE‑204) that can reveal the membership composition of an e‑commerce store, potentially aiding further attacks such as targeted phishing or credential‑reuse attempts.

Affected Systems

Saleor e‑commerce platform versions from 2.10.0 up to just before 3.23.0a3, and the specific releases 3.22.47, 3.21.54, and 3.20.118 are susceptible. Users running these builds may experience the enumeration flaw.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the KEV catalog. An attacker can reach the vulnerable endpoint over the network, submit arbitrary email addresses, and deduce account existence based on differing error messages. The risk is that an enumerated list of user emails can be leveraged for social engineering or other malicious activities.

Generated by OpenCVE AI on April 8, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saleor to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 where the enumeration bug is fixed.
  • If upgrading is not immediately possible, restrict access to the requestEmailChange endpoint to authenticated users only or disable it temporarily.
  • Verify after applying the fix that error responses no longer differ based on email existence by performing test requests.
  • Monitor logs for repeated enumeration attempts and apply general security best practices such as rate limiting and IP blocking.

Generated by OpenCVE AI on April 8, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Saleor
Saleor saleor
Vendors & Products Saleor
Saleor saleor
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Title Saleor has a user enumeration vulnerability due to different error messages
Weaknesses CWE-204
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Saleor Saleor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:22:20.422Z

Reserved: 2026-04-07T19:13:20.378Z

Link: CVE-2026-39851

cve-icon Vulnrichment

Updated: 2026-04-08T19:17:16.341Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:26.620

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:46Z

Weaknesses