CVE-2026-39851
Received Received - Intake
Information Disclosure via Email Enumeration in Saleor requestEmailChange Mutation

Publication date: 2026-04-08

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39851
EUVD
EUVD-2026-20536
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
saleor saleor From 3.22.0 (inc) to 3.22.47 (exc)
saleor saleor From 2.10.0 (inc) to 3.20.118 (exc)
saleor saleor From 3.21.0 (inc) to 3.21.54 (exc)
saleor saleor 3.23.0
saleor saleor 3.23.0
saleor saleor 3.23.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39851 is a moderate severity user enumeration vulnerability in the Saleor e-commerce platform affecting versions from 2.10.0 up to certain patched versions. It occurs in the requestEmailChange() GraphQL mutation, which reveals whether an email address exists in the system by returning distinct error messages.

This information disclosure allows attackers to confirm the existence of user-provided email addresses, enabling them to enumerate valid users.

Impact Analysis

The vulnerability allows attackers to identify valid user email addresses on the platform, which can be used for reconnaissance purposes.

This can facilitate targeted attacks such as spear-phishing by improving the attacker's ability to select potential victims.

The impact on confidentiality is low since only user existence information is disclosed, and there is no impact on data integrity or availability.

Detection Guidance

This vulnerability can be detected by monitoring for distinct error messages returned by the requestEmailChange() GraphQL mutation that reveal the existence of user-provided email addresses.

To detect exploitation attempts on your system, you can inspect logs or network traffic for requests to the requestEmailChange mutation and analyze the responses for information disclosure patterns.

Specific commands are not provided in the available resources, but typical approaches include using tools like curl or GraphQL clients to send requestEmailChange mutation queries with various email inputs and observing if error messages differ based on email validity.

Mitigation Strategies

The primary mitigation is to upgrade Saleor to one of the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.

If upgrading immediately is not feasible, it is recommended to block or rate-limit the requestEmailChange GraphQL mutation to reduce the risk of exploitation.

Compliance Impact

This vulnerability allows attackers to enumerate valid user email addresses by revealing their existence through error messages in the requestEmailChange() mutation.

Such information disclosure can increase the risk of targeted attacks like spear-phishing, potentially leading to unauthorized access or data breaches.

From a compliance perspective, this leakage of user information could be considered a violation of data protection principles under regulations like GDPR and HIPAA, which require safeguarding personal data and minimizing exposure to unauthorized parties.

Therefore, failure to address this vulnerability may impact an organization's ability to comply with these standards, as it exposes user data and increases the risk of privacy violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart