CVE-2026-35407
Received Received - Intake
Authorization Bypass in Saleor Email Change Workflow Allows Account Takeover

Publication date: 2026-04-08

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account’s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35407
EUVD
EUVD-2026-20534
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
saleor saleor From 3.20.119 (inc) to 3.21.54 (exc)
saleor saleor From 3.22.0 (inc) to 3.22.47 (exc)
saleor saleor 3.23.0
saleor saleor 3.23.0
saleor saleor 3.23.0
saleor saleor 3.23.0
saleor saleor From 2.10.0 (inc) to 3.20.118 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35407 is a business-logic and authorization flaw in the Saleor e-commerce platform's account email change workflow. The confirmation process does not verify that the email change confirmation token was issued for the currently authenticated user.

As a result, a valid email-change token generated for one account can be reused by an attacker authenticated as a different user to change that second user’s email address to the attacker-controlled email specified in the token.

This allows an attacker who can authenticate to one account and obtain a valid email-change token to hijack another user’s account by re-binding it to an email address they control, effectively converting temporary access into a persistent account takeover.

Impact Analysis

This vulnerability can lead to full account compromise by allowing an attacker to change the email address of another user's account to one they control.

Once the attacker controls the email address associated with the victim's account, they can reset passwords and recover the victim account, resulting in unauthorized access and loss of account integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Saleor e-commerce platform to one of the fixed versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.

No workarounds are known for this issue, so applying the official patch is the only effective mitigation.

Compliance Impact

This vulnerability allows an attacker to hijack user accounts by reusing email-change tokens issued for other accounts, leading to unauthorized modification of user email addresses and potential full account compromise.

Such unauthorized access and modification of user account information can undermine the integrity and security of personal data, which are critical requirements under regulations like GDPR and HIPAA.

Specifically, GDPR mandates protection of personal data against unauthorized access and alteration, and HIPAA requires safeguarding electronic protected health information (ePHI) to ensure confidentiality, integrity, and availability.

Therefore, this vulnerability could lead to non-compliance with these standards by exposing user data to unauthorized changes and potential account takeover, increasing the risk of data breaches and privacy violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart