CVE-2026-39851
Information Disclosure via Email Enumeration in Saleor requestEmailChange Mutation
Publication date: 2026-04-08
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saleor | saleor | From 3.22.0 (inc) to 3.22.47 (exc) |
| saleor | saleor | From 2.10.0 (inc) to 3.20.118 (exc) |
| saleor | saleor | From 3.21.0 (inc) to 3.21.54 (exc) |
| saleor | saleor | 3.23.0 |
| saleor | saleor | 3.23.0 |
| saleor | saleor | 3.23.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to enumerate valid user email addresses by revealing their existence through error messages in the requestEmailChange() mutation.
Such information disclosure can increase the risk of targeted attacks like spear-phishing, potentially leading to unauthorized access or data breaches.
From a compliance perspective, this leakage of user information could be considered a violation of data protection principles under regulations like GDPR and HIPAA, which require safeguarding personal data and minimizing exposure to unauthorized parties.
Therefore, failure to address this vulnerability may impact an organization's ability to comply with these standards, as it exposes user data and increases the risk of privacy violations.
Can you explain this vulnerability to me?
CVE-2026-39851 is a moderate severity user enumeration vulnerability in the Saleor e-commerce platform affecting versions from 2.10.0 up to certain patched versions. It occurs in the requestEmailChange() GraphQL mutation, which reveals whether an email address exists in the system by returning distinct error messages.
This information disclosure allows attackers to confirm the existence of user-provided email addresses, enabling them to enumerate valid users.
How can this vulnerability impact me? :
The vulnerability allows attackers to identify valid user email addresses on the platform, which can be used for reconnaissance purposes.
This can facilitate targeted attacks such as spear-phishing by improving the attacker's ability to select potential victims.
The impact on confidentiality is low since only user existence information is disclosed, and there is no impact on data integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for distinct error messages returned by the requestEmailChange() GraphQL mutation that reveal the existence of user-provided email addresses.
To detect exploitation attempts on your system, you can inspect logs or network traffic for requests to the requestEmailChange mutation and analyze the responses for information disclosure patterns.
Specific commands are not provided in the available resources, but typical approaches include using tools like curl or GraphQL clients to send requestEmailChange mutation queries with various email inputs and observing if error messages differ based on email validity.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Saleor to one of the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.
If upgrading immediately is not feasible, it is recommended to block or rate-limit the requestEmailChange GraphQL mutation to reduce the risk of exploitation.