← Volver a CVEs
CVE-2026-24136
HIGH7.5
Descripcion
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
Detalles CVE
Puntuacion CVSS v3.17.5
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado1/24/2026
Ultima modificacion2/12/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
saleor:saleor
Debilidades (CWE)
CWE-639
Referencias
https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa(security-advisories@github.com)
https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af(security-advisories@github.com)
https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153(security-advisories@github.com)
https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944(security-advisories@github.com)
https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.