CVE-2026-35407
Authorization Bypass in Saleor Email Change Workflow Allows Account Takeover
Publication date: 2026-04-08
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saleor | saleor | From 3.20.119 (inc) to 3.21.54 (exc) |
| saleor | saleor | From 3.22.0 (inc) to 3.22.47 (exc) |
| saleor | saleor | 3.23.0 |
| saleor | saleor | 3.23.0 |
| saleor | saleor | 3.23.0 |
| saleor | saleor | 3.23.0 |
| saleor | saleor | From 2.10.0 (inc) to 3.20.118 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35407 is a business-logic and authorization flaw in the Saleor e-commerce platform's account email change workflow. The confirmation process does not verify that the email change confirmation token was issued for the currently authenticated user.
As a result, a valid email-change token generated for one account can be reused by an attacker authenticated as a different user to change that second userβs email address to the attacker-controlled email specified in the token.
This allows an attacker who can authenticate to one account and obtain a valid email-change token to hijack another userβs account by re-binding it to an email address they control, effectively converting temporary access into a persistent account takeover.
How can this vulnerability impact me? :
This vulnerability can lead to full account compromise by allowing an attacker to change the email address of another user's account to one they control.
Once the attacker controls the email address associated with the victim's account, they can reset passwords and recover the victim account, resulting in unauthorized access and loss of account integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Saleor e-commerce platform to one of the fixed versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.
No workarounds are known for this issue, so applying the official patch is the only effective mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to hijack user accounts by reusing email-change tokens issued for other accounts, leading to unauthorized modification of user email addresses and potential full account compromise.
Such unauthorized access and modification of user account information can undermine the integrity and security of personal data, which are critical requirements under regulations like GDPR and HIPAA.
Specifically, GDPR mandates protection of personal data against unauthorized access and alteration, and HIPAA requires safeguarding electronic protected health information (ePHI) to ensure confidentiality, integrity, and availability.
Therefore, this vulnerability could lead to non-compliance with these standards by exposing user data to unauthorized changes and potential account takeover, increasing the risk of data breaches and privacy violations.