Platform
nodejs
Component
saleor
Fixed in
2.0.1
3.21.1
3.22.1
3.23.1
CVE-2026-35401 is a high-severity vulnerability affecting the Saleor e-commerce platform. It allows malicious actors to exhaust server resources by crafting GraphQL queries with excessive mutations or chained operations. This vulnerability impacts Saleor versions from 2.0.0 through 3.23.0-a.0 (excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118). A fix is available in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
The core impact of CVE-2026-35401 is denial of service (DoS). An attacker can craft malicious GraphQL queries that leverage aliases or chaining to execute a large number of mutations within a single API call. This can overwhelm the Saleor server's resources, including CPU, memory, and database connections, leading to service unavailability. The blast radius extends to all users of the affected Saleor instance, as legitimate requests may be blocked while the server is under attack. While the vulnerability doesn't directly expose sensitive data, prolonged DoS can disrupt business operations and potentially mask other malicious activities.
This vulnerability was publicly disclosed on 2026-04-08. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on CISA KEV. The CVSS score of 7.5 (HIGH) indicates a significant risk, and the ease of exploitation through crafted GraphQL queries warrants prompt remediation.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35401 is to upgrade Saleor to a patched version: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118. If immediate upgrading is not possible, consider implementing rate limiting on GraphQL queries to restrict the number of mutations allowed per user or IP address. Web Application Firewalls (WAFs) can be configured to detect and block suspicious GraphQL query patterns. Review and optimize GraphQL schemas to minimize the potential for resource-intensive operations. After upgrading, confirm the fix by attempting to execute a complex, chained GraphQL query and verifying that the server remains stable and responsive.
Update Saleor to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to mitigate the resource exhaustion vulnerability in GraphQL queries. This update limits the amount of resources consumed by GraphQL queries, preventing denial-of-service attacks. See the release notes for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35401 is a high-severity vulnerability in Saleor allowing attackers to exhaust server resources through crafted GraphQL queries, potentially leading to denial of service.
You are affected if you are running Saleor versions 2.0.0–>= 3.23.0-a.0, < 3.23.0a3. Check your version and upgrade immediately.
Upgrade Saleor to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118. Consider rate limiting and WAF rules as temporary mitigations.
No active exploitation has been confirmed at this time, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the Saleor security advisories on their official website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.