Plattform
nodejs
Komponente
saleor
Behoben in
2.0.1
3.21.1
3.22.1
3.23.1
CVE-2026-35401 is a high-severity vulnerability affecting the Saleor e-commerce platform. It allows malicious actors to exhaust server resources by crafting GraphQL queries with excessive mutations or chained operations. This vulnerability impacts Saleor versions from 2.0.0 through 3.23.0-a.0 (excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118). A fix is available in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
The primary impact of CVE-2026-35401 is resource exhaustion. By sending a large number of complex GraphQL queries or mutations within a single API request, an attacker can overwhelm the Saleor server's resources, including CPU, memory, and database connections. This can lead to a denial-of-service (DoS) condition, making the e-commerce platform unavailable to legitimate users. The blast radius extends to all users of the affected Saleor instance, as the server becomes unresponsive. While the vulnerability doesn't directly expose sensitive data, a prolonged DoS could disrupt business operations and potentially lead to financial losses. The ability to chain mutations increases the potential for complex and resource-intensive attacks.
CVE-2026-35401 was published on 2026-04-08. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it likely that PoCs will emerge as Saleor gains wider adoption. The ease of crafting malicious GraphQL queries suggests a moderate risk of exploitation if the vulnerability remains unpatched.
E-commerce businesses utilizing Saleor versions 2.0.0 through 3.23.0-a.0 (excluding patched versions) are at risk. This includes organizations running Saleor in production environments, particularly those with publicly accessible GraphQL endpoints. Shared hosting environments where multiple Saleor instances share resources are also at increased risk, as an attack on one instance could impact others.
• nodejs / server:
ps aux | grep saleor• nodejs / server:
journalctl -u saleor -f | grep "GraphQL query exceeded"• generic web: Use a web proxy or browser developer tools to inspect GraphQL requests. Look for unusually long or complex queries with many aliases or chained mutations.
disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35401 is to upgrade Saleor to a patched version. Upgrade to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 as soon as possible. If an immediate upgrade is not feasible, consider implementing rate limiting on GraphQL requests to prevent a single client from submitting an excessive number of queries. Web Application Firewalls (WAFs) configured to detect and block suspicious GraphQL patterns could also provide a temporary layer of protection. Review Saleor's GraphQL schema and query validation rules to identify and restrict potentially abusive query structures. After upgrading, confirm the fix by attempting to submit a complex, chained GraphQL query and verifying that the server does not experience resource exhaustion.
Aktualisieren Sie Saleor auf die Version 3.23.0a3, 3.22.47, 3.21.54 oder 3.20.118, um die Ressourcenausschöpfungs-Schwachstelle in GraphQL-Abfragen zu beheben. Dieses Update begrenzt die Menge an Ressourcen, die von GraphQL-Abfragen verbraucht werden, und verhindert so Denial-of-Service-Angriffe. Weitere Informationen zur Aktualisierung finden Sie in den Versionshinweisen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35401 is a high-severity vulnerability in Saleor allowing attackers to exhaust server resources through crafted GraphQL queries, potentially leading to denial of service.
You are affected if you are running Saleor versions 2.0.0–>= 3.23.0-a.0, < 3.23.0a3. Check your version and upgrade immediately.
Upgrade Saleor to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118. Consider rate limiting and WAF rules as temporary mitigations.
No active exploitation has been confirmed at this time, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the Saleor security advisories on their official website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.