Executive Summary

CVE-2026-33756 is a high-severity vulnerability in Saleor, an e-commerce platform using GraphQL. The issue arises because Saleor allowed multiple GraphQL operations to be submitted in a single HTTP request as a JSON array (query batching) without enforcing any upper limit on the number of operations.

This lack of limits enables an unauthenticated attacker to send a single HTTP request containing a very large number of operations, bypassing per-query complexity limits and exhausting server resources such as CPU, memory, and database connections. This can cause the server's asynchronous workers to become blocked, resulting in denial of service.

Additionally, the vulnerability involves improper validation and handling of email change confirmation tokens in the GraphQL API, which could allow unauthorized email changes or token misuse. The fixes include strict validation of token types, user identity matching, email uniqueness checks, and limits on GraphQL mutations and aliases per request.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform a denial of service (DoS) attack on your Saleor e-commerce platform. By sending a single HTTP request with a large number of GraphQL operations, the attacker can exhaust server resources such as CPU, memory, and database connections.

This resource exhaustion can cause the server's asynchronous workers to become blocked, making the platform unresponsive or unavailable to legitimate users.

Furthermore, the improper validation of email change confirmation tokens could allow unauthorized users to change email addresses, potentially leading to account takeover or misuse.

The vulnerability has been fixed by imposing limits on the number of operations per batch request, enforcing strict token validation, and limiting the number of mutations and aliases per API call to prevent abuse.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an unauthenticated attacker sending a single HTTP request containing a very large number of GraphQL operations in a JSON array, bypassing per-query complexity limits and exhausting server resources.

To detect exploitation attempts on your network or system, you should monitor incoming HTTP requests to the Saleor GraphQL endpoint for unusually large JSON arrays representing batched GraphQL operations.

Suggested detection methods include:

• Inspect HTTP request bodies to the GraphQL endpoint for JSON arrays with an excessive number of operations.
• Use network monitoring or intrusion detection systems (IDS) to flag requests with large payload sizes or high numbers of batched operations.
• Analyze server logs for spikes in CPU, memory, or database connection usage correlated with large batch requests.

Example commands (assuming access to logs or network captures):

• Using grep and jq on server logs to find large batch requests: `grep -i "POST /graphql" access.log | jq 'select(length > 100)'` (adjust length threshold as needed).
• Using tcpdump or Wireshark to capture HTTP POST requests and filter for large JSON arrays in the request body.

Additionally, monitoring for denial-of-service symptoms such as blocked uvicorn workers or resource exhaustion can indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps for CVE-2026-33756 focus on limiting the number of GraphQL operations per HTTP request to prevent resource exhaustion.

• Upgrade Saleor to a fixed version: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118, where the vulnerability is patched.
• If upgrading immediately is not possible, apply Web Application Firewall (WAF) rules to limit the HTTP request body size or restrict the number of items in JSON arrays in requests to the GraphQL endpoint.
• Configure or enforce the new GraphQL API limits introduced in the patch: `GRAPHQL_MUTATION_COUNT_LIMIT` (default 1 mutation per call) and `GRAPHQL_ALIAS_COUNT_LIMIT` (default 100 aliases per API call) to prevent abuse.
• Monitor server resource usage and logs to detect and respond to potential exploitation attempts.

These steps help prevent denial-of-service attacks by restricting excessive GraphQL operations in a single request and improving overall API request handling.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-33756 affects Saleor's GraphQL API by allowing unauthenticated attackers to abuse the email change confirmation process and to perform denial-of-service attacks via unlimited GraphQL operations in batch requests.

The vulnerability involves improper validation and handling of email change confirmation tokens, which could allow unauthorized email changes or token misuse. This could potentially lead to unauthorized access or modification of user account information.

From a compliance perspective, such unauthorized email changes and token misuse could impact data integrity and user account security, which are critical under regulations like GDPR and HIPAA that require protection of personal data and user identity.

Additionally, the denial-of-service aspect caused by resource exhaustion could affect availability, another important factor in compliance frameworks that mandate reliable access to services and data.

The fixes introduced strict token validation, user identity verification, and limits on GraphQL API usage to prevent abuse, thereby helping to maintain data integrity, confidentiality, and availability, which are key principles in common standards and regulations.

Useful 0 Not Useful 0