Platform
nodejs
Component
saleor
Fixed in
2.0.1
3.21.1
3.22.1
3.23.1
CVE-2026-33756 is a Denial of Service (DoS) vulnerability discovered in Saleor, an e-commerce platform. This flaw allows an unauthenticated attacker to exhaust server resources by exploiting the platform's GraphQL query batching feature. The vulnerability impacts versions 2.0.0 through 3.23.0-a.0, excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. A patch is available in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
The core of this vulnerability lies in Saleor's GraphQL query batching implementation. While intended to improve performance by allowing multiple queries in a single request, the system lacked proper limits on the number of operations. An attacker can craft a malicious HTTP request containing a large array of GraphQL operations, effectively bypassing the per-query complexity limits. This can lead to excessive CPU usage, memory exhaustion, and ultimately, a denial of service, rendering the e-commerce platform unavailable to legitimate users. The lack of authentication means any external user can trigger this vulnerability, significantly expanding the potential attack surface. The impact is particularly severe for businesses relying on Saleor for online sales and customer interactions, as a successful attack could result in lost revenue and reputational damage.
This vulnerability was publicly disclosed on 2026-04-08. Currently, there is no indication of active exploitation campaigns targeting CVE-2026-33756. The vulnerability is not listed on CISA KEV as of this writing. While a public proof-of-concept is not yet available, the ease of exploitation (unauthenticated, simple HTTP request) suggests a high likelihood of a PoC being developed and potentially leveraged in attacks.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33756 is to upgrade to a patched version of Saleor. Versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 contain the necessary fixes to limit the number of operations in GraphQL batch requests. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to limit the size and complexity of incoming GraphQL requests. Specifically, look for rules that restrict the number of operations within a single request. Additionally, monitor Saleor server resources (CPU, memory) for unusual spikes, which could indicate an ongoing attack. After upgrading, confirm the fix by sending a large batch of GraphQL queries and verifying that the server handles them without resource exhaustion.
Update to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to mitigate the vulnerability. These versions include a limit on the number of operations allowed in GraphQL batch queries, preventing resource exhaustion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33756 is a Denial of Service vulnerability in Saleor allowing unauthenticated attackers to exhaust server resources via malicious GraphQL requests. It affects versions 2.0.0–>= 3.23.0-a.0, < 3.23.0a3.
You are affected if you are running Saleor versions 2.0.0 through 3.23.0-a.0, excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Upgrade to Saleor version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118. Consider WAF rules to limit GraphQL request size as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation suggests a potential risk.
Refer to the Saleor security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.