Resource Exhaustion Vulnerability in Saleor E-Commerce Platform
CVE-2026-35401

7.5HIGH

Key Information:

Vendor: Saleor
Status: Saleor
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-35401?

A vulnerability exists in the Saleor e-commerce platform that allows a malicious actor to exploit GraphQL functionality by including multiple mutations or queries in a single API call, utilizing aliases or chaining. This can lead to significant resource exhaustion, potentially affecting the availability and responsiveness of the application. The vulnerability has been addressed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Affected Version(s)

saleor >= 2.0.0, < 3.20.118 < 2.0.0, 3.20.118

saleor >= 3.21.0-a.0, < 3.21.54 < 3.21.0-a.0, 3.21.54

saleor >= 3.22.0-a.0, < 3.22.47 < 3.22.0-a.0, 3.22.47

References

https://github.com/saleor/saleor/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35401 Data

JSON