{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35401", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-08T17:22:10.683Z", "dateUpdated": "2026-04-08T19:21:37.796Z"}, "containers": {"cna": {"title": "Saleor has a resource exhaustion vulnerability in GraphQL queries", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h"}], "affected": [{"vendor": "saleor", "product": "saleor", "versions": [{"version": ">= 2.0.0, < 3.20.118", "status": "affected"}, {"version": ">= 3.21.0-a.0, < 3.21.54", "status": "affected"}, {"version": ">= 3.22.0-a.0, < 3.22.47", "status": "affected"}, {"version": ">= 3.23.0-a.0, < 3.23.0a3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:22:10.683Z"}, "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "source": {"advisory": "GHSA-gqqv-xwx3-jj4h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:21:30.385008Z", "id": "CVE-2026-35401", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:21:37.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:21:30.385008Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:21:33.887Z"}}], "cna": {"title": "Saleor has a resource exhaustion vulnerability in GraphQL queries", "source": {"advisory": "GHSA-gqqv-xwx3-jj4h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "saleor", "product": "saleor", "versions": [{"status": "affected", "version": ">= 2.0.0, < 3.20.118"}, {"status": "affected", "version": ">= 3.21.0-a.0, < 3.21.54"}, {"status": "affected", "version": ">= 3.22.0-a.0, < 3.22.47"}, {"status": "affected", "version": ">= 3.23.0-a.0, < 3.23.0a3"}]}], "references": [{"url": "https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h", "name": "https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:22:10.683Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35401", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:21:37.796Z", "dateReserved": "2026-04-02T17:03:42.074Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T17:22:10.683Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B4A5EA6-A42E-41BA-9A75-20C9FF65EE98", "versionEndExcluding": "3.20.118", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "matchCriteriaId": "2312AF3F-A049-4E4B-AAEF-21D7B5463A3A", "versionEndExcluding": "3.21.54", "versionStartIncluding": "3.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABB6E342-967D-4F4D-9869-BC24C630ACEF", "versionEndExcluding": "3.22.47", "versionStartIncluding": "3.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:3.23.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "086CBDFF-B1C4-4AD4-9F39-00B028E29338", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:3.23.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "404B7EE8-9CE0-4B8D-B0B7-2DF60F355E72", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:3.23.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "6DD7D745-F558-4CBE-9110-2F7DCBCF4D2F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "id": "CVE-2026-35401", "lastModified": "2026-04-20T20:03:15.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:23.740", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,3.20.118)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.21.0-a.0,3.21.54)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.22.0-a.0,3.22.47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.23.0-a.0,3.23.0a3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "saleor", "source": "cna", "vendor": "saleor"}, "product": "saleor", "vendor": "saleor"}], "analysis": {"en": {"generated_at": "2026-04-08T19:56:12.621589+00:00", "value": {"mitigation_remediation": ["Upgrade Saleor to version 3.23.0a3 or later, or to the corresponding patched releases 3.22.47, 3.21.54, or 3.20.118.", "Apply application\u2011level rate limiting to the GraphQL API to constrain the number of operations per request and the total number of concurrent requests.", "Restrict access to the GraphQL endpoint so that only authorized users or trusted network ranges can reach it.", "Monitor server resource utilization and set alerts for abnormal spikes that may indicate abuse of the GraphQL interface."], "summary": {"action": "Patch Now", "impact": "Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "Vendors affected are Saleor for the Saleor e\u2011commerce platform. The issue is present in all releases from 2.0.0 up to just before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. The vulnerability is remedied by upgrading to 3.23.0a3 or the corresponding patched releases 3.22.47, 3.21.54, or 3.20.118.", "description_and_impact": "Saleor, an e\u2011commerce platform, contains a GraphQL resource exhaustion flaw that allows an attacker to send numerous mutations or queries in a single request through aliases or mutation chaining. The flaw enables abuse of server resources, potentially leading to denial of service and compromising availability. The weakness is classified as CWE-770, entitled The system has insufficient total resource limits. The main consequence is that an attacker can exhaust CPU, memory, or other server limits, resulting in service disruption.", "risk_and_exploitability": "With a CVSS score of 7.5, the vulnerability has high severity. The EPSS score is not available and it is not listed in CISA\u2019s KEV catalog, indicating that a documented exploit is not publicly known. According to the description, the most likely attack vector is a remote GraphQL API call over HTTP or HTTPS; an attacker can perform the exploitation simply by sending a crafted request from any external source. No authentication is required beyond having access to the GraphQL endpoint, and the exploitation can be done with unauthenticated or low\u2011privilege accounts if the API is exposed."}}}}, "created": "2026-04-08T19:59:44.142977+00:00", "updated": "2026-04-08T20:12:51.211573+00:00", "vendors": ["saleor", "saleor$PRODUCT$saleor"]}