← Voltar para CVEs
CVE-2026-24136
HIGH7.5
Descricao
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
Detalhes CVE
Pontuacao CVSS v3.17.5
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado1/24/2026
Ultima modificacao2/12/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
saleor:saleor
Fraquezas (CWE)
CWE-639
Referencias
https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa(security-advisories@github.com)
https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af(security-advisories@github.com)
https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153(security-advisories@github.com)
https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944(security-advisories@github.com)
https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.