Platform
nodejs
Component
saleor
Fixed in
2.10.1
3.21.1
3.22.1
3.23.1
CVE-2026-39851 affects the Saleor e-commerce platform, specifically exposing user-provided email addresses in error messages through the requestEmailChange() mutation. This information disclosure vulnerability could potentially be exploited to gather user data. The vulnerability impacts versions 2.10.0 through 3.23.0a3, including specific versions like 3.22.47, 3.21.54, and 3.20.118. A fix has been released in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
CVE-2026-39851 affects the Saleor e-commerce platform. Between versions 2.10.0 and prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This could allow an attacker to confirm whether an email address is associated with a user account, which could be used for brute-force attacks or social engineering. While it doesn't allow direct account access, confirming the existence of an email address is a significant step in a targeted attack. The severity of this vulnerability is moderate, as it requires the attacker to know or suspect a specific email address to exploit it.
An attacker could exploit this vulnerability by sending a requestEmailChange() request with an email address they believe belongs to a user. If the request fails, the error message might reveal that the email address exists in the system. This process can be repeated with different email addresses to build a list of valid addresses. The obtained information can be used for targeted phishing attacks or to attempt to reset the passwords of specific accounts. The complexity of exploitation is low, as it doesn't require advanced technical skills, but it does require access to the Saleor API.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
To mitigate this vulnerability, it is highly recommended to update Saleor to version 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118. These versions include a fix that prevents the disclosure of email addresses in error messages. In the meantime, as a temporary measure, you can implement log filtering to prevent email addresses from being logged in error messages. It's crucial to review your Saleor platform configuration to ensure there are no other settings that could facilitate the disclosure of sensitive information. Regular security patching is a fundamental practice for maintaining platform security.
Actualice Saleor a la versión 3.23.0a3, 3.22.47, 3.21.54 o 3.20.118 para mitigar la vulnerabilidad de enumeración de usuarios. Esta actualización corrige la exposición de direcciones de correo electrónico proporcionadas por el usuario en los mensajes de error.
Vulnerability analysis and critical alerts directly to your inbox.
Saleor versions between 2.10.0 and prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 are vulnerable to this vulnerability.
Follow the upgrade instructions provided in the official Saleor documentation. Ensure you back up your database before upgrading.
You can implement log filtering to prevent email addresses from being logged in error messages.
The vulnerability is considered moderate, as it requires the attacker to know or suspect a specific email address.
You can find more information about this vulnerability in the CVE vulnerability database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39851
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.