Information Disclosure Vulnerability in Saleor E-commerce Platform
CVE-2026-39851

5.3MEDIUM

Key Information:

Vendor

Saleor

Status
Saleor
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39851?

In the Saleor e-commerce platform, a security flaw has been identified that allows the exposure of user-provided email addresses through the response of the requestEmailChange() mutation. This issue exists in versions from 2.10.0 up to, but not including, 3.23.0a3, and in specific earlier versions such as 3.22.47, 3.21.54, and 3.20.118. This vulnerability could potentially be exploited by an attacker to determine which email addresses are registered with the platform, leading to possible phishing attacks or further exploitation of the user base.

Affected Version(s)

saleor >= 2.10.0, < 3.20.118 < 2.10.0, 3.20.118

saleor >= 3.21.0-a.0, < 3.21.54 < 3.21.0-a.0, 3.21.54

saleor >= 3.22.0-a.0, < 3.22.47 < 3.22.0-a.0, 3.22.47

References

https://github.com/saleor/saleor/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/saleor/saleor/commit/7be352fa8c35875d6...
x_refsource_MISC
https://github.com/saleor/saleor/commit/cdb66da97abb7c869...
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.