{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39851", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.378Z", "datePublished": "2026-04-08T17:33:37.998Z", "dateUpdated": "2026-04-08T19:22:20.422Z"}, "containers": {"cna": {"title": "Saleor has a user enumeration vulnerability due to different error messages", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7"}, {"name": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"}, {"name": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"}, {"name": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"}, {"name": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"}, {"name": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}], "affected": [{"vendor": "saleor", "product": "saleor", "versions": [{"version": ">= 2.10.0, < 3.20.118", "status": "affected"}, {"version": ">= 3.21.0-a.0, < 3.21.54", "status": "affected"}, {"version": ">= 3.22.0-a.0, < 3.22.47", "status": "affected"}, {"version": ">= 3.23.0-a.0, < 3.23.0a3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:33:37.998Z"}, "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "source": {"advisory": "GHSA-m3rm-m4vq-27x7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:16:38.478415Z", "id": "CVE-2026-39851", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:22:20.422Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39851", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:16:38.478415Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:17:16.341Z"}}], "cna": {"title": "Saleor has a user enumeration vulnerability due to different error messages", "source": {"advisory": "GHSA-m3rm-m4vq-27x7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "saleor", "product": "saleor", "versions": [{"status": "affected", "version": ">= 2.10.0, < 3.20.118"}, {"status": "affected", "version": ">= 3.21.0-a.0, < 3.21.54"}, {"status": "affected", "version": ">= 3.22.0-a.0, < 3.22.47"}, {"status": "affected", "version": ">= 3.23.0-a.0, < 3.23.0a3"}]}], "references": [{"url": "https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7", "name": "https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64", "name": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8", "name": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a", "name": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa", "name": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464", "name": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:33:37.998Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39851", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:22:20.422Z", "dateReserved": "2026-04-07T19:13:20.378Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T17:33:37.998Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "matchCriteriaId": "276853A9-A9F2-46A0-8B3F-1C4706BD134C", "versionEndExcluding": "3.20.118", "versionStartIncluding": "2.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "matchCriteriaId": "2312AF3F-A049-4E4B-AAEF-21D7B5463A3A", "versionEndExcluding": "3.21.54", "versionStartIncluding": "3.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABB6E342-967D-4F4D-9869-BC24C630ACEF", "versionEndExcluding": "3.22.47", "versionStartIncluding": "3.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:3.23.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "086CBDFF-B1C4-4AD4-9F39-00B028E29338", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:3.23.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "404B7EE8-9CE0-4B8D-B0B7-2DF60F355E72", "vulnerable": true}, {"criteria": "cpe:2.3:a:saleor:saleor:3.23.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "6DD7D745-F558-4CBE-9110-2F7DCBCF4D2F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "id": "CVE-2026-39851", "lastModified": "2026-04-20T20:01:43.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:26.620", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.0,3.20.118)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.21.0-a.0,3.21.54)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.22.0-a.0,3.22.47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.23.0-a.0,3.23.0a3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "saleor", "source": "cna", "vendor": "saleor"}, "product": "saleor", "vendor": "saleor"}], "analysis": {"en": {"generated_at": "2026-04-08T19:54:12.397974+00:00", "value": {"mitigation_remediation": ["Upgrade Saleor to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 where the enumeration bug is fixed.", "If upgrading is not immediately possible, restrict access to the requestEmailChange endpoint to authenticated users only or disable it temporarily.", "Verify after applying the fix that error responses no longer differ based on email existence by performing test requests.", "Monitor logs for repeated enumeration attempts and apply general security best practices such as rate limiting and IP blocking."], "summary": {"action": "Apply Patch", "impact": "User Enumeration"}, "threat_synthesis": {"affected_systems": "Saleor e\u2011commerce platform versions from 2.10.0 up to just before 3.23.0a3, and the specific releases 3.22.47, 3.21.54, and 3.20.118 are susceptible. Users running these builds may experience the enumeration flaw.", "description_and_impact": "The requestEmailChange mutation in Saleor produced distinct error messages that exposed whether an email address was registered in the system. This allows an attacker to confirm the existence of user accounts simply by submitting a change\u2011email request and observing the response. The problem is an information\u2011exposure weakness (CWE\u2011204) that can reveal the membership composition of an e\u2011commerce store, potentially aiding further attacks such as targeted phishing or credential\u2011reuse attempts.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the KEV catalog. An attacker can reach the vulnerable endpoint over the network, submit arbitrary email addresses, and deduce account existence based on differing error messages. The risk is that an enumerated list of user emails can be leveraged for social engineering or other malicious activities."}}}}, "created": "2026-04-08T19:55:22.473680+00:00", "updated": "2026-04-08T20:12:46.841493+00:00", "vendors": ["saleor", "saleor$PRODUCT$saleor"]}