Business Logic and Authorization Flaw in Saleor E-Commerce Platform
CVE-2026-35407

5.9MEDIUM

Key Information:

Vendor

Saleor

Status
Saleor
Vendor
CVE Published:
8 April 2026

What is CVE-2026-35407?

The Saleor e-commerce platform is afflicted by a business logic and authorization issue within the account email change workflow. This vulnerability allows an invalid email change confirmation token, generated for one account, to be replayed by an authenticated user of another account. Consequently, this results in the email address of the second account being altered to the new_email address linked to the token, despite the token never having been verified for that account. This critical issue highlights a significant flaw in user account security during email modifications.

Affected Version(s)

saleor >= 2.10.0, < 3.20.118 < 2.10.0, 3.20.118

saleor >= 3.21.0-a.0, < 3.21.54 < 3.21.0-a.0, 3.21.54

saleor >= 3.22.0-a.0, < 3.22.47 < 3.22.0-a.0, 3.22.47

References

https://github.com/saleor/saleor/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/saleor/saleor/commit/7be352fa8c35875d6...
x_refsource_MISC
https://github.com/saleor/saleor/commit/cdb66da97abb7c869...
x_refsource_MISC

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.