Platform
nodejs
Component
saleor
Opgelost in
2.10.1
3.21.1
3.22.1
3.23.1
CVE-2026-35407 is a business-logic and authorization flaw discovered in Saleor, an e-commerce platform. This vulnerability allows an attacker to manipulate the email change confirmation process, potentially leading to unauthorized account modifications. The impact is significant as it could enable attackers to take over user accounts by altering their email addresses. This issue affects Saleor versions 2.10.0 through 3.23.0a3, excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. A patch is available in version 3.23.0a3.
The core of this vulnerability lies in the flawed email change confirmation workflow within Saleor. An attacker can exploit this by obtaining a valid email change confirmation token generated for one user account. Crucially, the system fails to verify that this token was actually issued for the account the attacker is currently authenticated as. This allows the attacker, while logged in as a different user, to replay the token and update another user's email address to the one specified in the token. This effectively enables account takeover, as the victim will receive email notifications intended for the attacker, potentially losing access to their account. The blast radius extends to all users whose email addresses can be manipulated through this token replay attack. While no direct data exfiltration is inherent in the vulnerability, the compromised email address can be used for further phishing attacks or to reset passwords on other services, significantly expanding the potential damage.
CVE-2026-35407 was published on April 8, 2026. Its exploitation probability is currently assessed as low, as no public proof-of-concept (POC) code has been released. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. There are no indications of active campaigns targeting this vulnerability. Monitor the NVD and CISA advisories for updates and potential exploitation trends.
Exploit Status
EPSS
0.03% (10% percentiel)
The primary mitigation for CVE-2026-35407 is to immediately upgrade Saleor to version 3.23.0a3 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Review and strengthen the email change confirmation process to ensure proper user authentication and token validation. Implement stricter rate limiting on email change requests to prevent brute-force attempts to obtain valid tokens. Consider implementing multi-factor authentication (MFA) to add an extra layer of security, even if the email address is compromised. Monitor Saleor logs for suspicious activity related to email changes, such as unusually frequent requests or changes to accounts with unusual patterns. After upgrading, confirm the fix by attempting to trigger the email change workflow with a token generated for a different user account – the process should now correctly reject the token.
Actualice Saleor a la versión 3.23.0a3, 3.22.47, 3.21.54 o 3.20.118 para mitigar la vulnerabilidad. La actualización corrige la falla de autorización en el flujo de cambio de correo electrónico, asegurando que los tokens de confirmación solo se apliquen a la cuenta para la que fueron generados.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's an authorization flaw in Saleor e-commerce, allowing attackers to hijack email change tokens and potentially take over user accounts.
You are affected if you are running Saleor versions 2.10.0–>= 3.23.0-a.0, < 3.23.0a3, excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Upgrade Saleor to version 3.23.0a3 or later. If immediate upgrade isn't possible, implement temporary workarounds like stricter rate limiting and MFA.
Currently, there are no public POCs or reports of active exploitation, but continuous monitoring is recommended.
Refer to the Saleor security advisories and the National Vulnerability Database (NVD) entry for CVE-2026-35407 for further details.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.