CVE-2026-35401
GraphQL Resource Exhaustion in Saleor E-commerce Platform
Publication date: 2026-04-08
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saleor | saleor | From 2.0.0 (inc) to 3.20.118 (exc) |
| saleor | saleor | From 3.22.0 (inc) to 3.22.47 (exc) |
| saleor | saleor | From 3.21.0 (inc) to 3.21.54 (exc) |
| saleor | saleor | 3.23.0 |
| saleor | saleor | 3.23.0 |
| saleor | saleor | 3.23.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes resource exhaustion leading to denial of service, impacting availability but not confidentiality or integrity of data.
Since the vulnerability does not affect confidentiality or integrity, it does not directly compromise personal data protection requirements under standards like GDPR or HIPAA.
However, the denial of service could affect system availability, which is a component of these regulations' requirements for ensuring reliable access to data and services.
Organizations relying on affected versions should mitigate this vulnerability to maintain compliance with availability requirements in such standards.
Can you explain this vulnerability to me?
CVE-2026-35401 is a high-severity resource exhaustion vulnerability in the Saleor e-commerce platform's GraphQL API affecting versions from 2.0.0 up to certain patched versions. A malicious actor can exploit this vulnerability by including many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations. This causes excessive consumption of system resources because the platform allocates resources without limits or throttling, leading to potential denial of service.
How can this vulnerability impact me? :
This vulnerability can lead to resource exhaustion on the affected system, which may cause denial of service (DoS). Since the attack can be performed remotely without any privileges or user interaction, it can disrupt the availability of the Saleor platform, making it unavailable to legitimate users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large or complex GraphQL API calls that include many mutations or queries using aliases or chaining multiple mutations in a single request. Detection involves analyzing API request patterns for signs of resource exhaustion attempts.
While no specific commands are provided, network or application monitoring tools can be configured to log and inspect GraphQL requests for excessive use of aliases or mutation chaining. Regular expression-based filters can be applied to identify suspicious request bodies.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Saleor to one of the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.
If upgrading immediately is not feasible, temporary workarounds include applying Web Application Firewall (WAF) rules to limit the request body size or to block GraphQL aliases and mutation chaining using regular expression-based filters.