Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.

Basic Information

ID CVE-2026-24136

Source GitHub_M

Published Jan 23, 2026 at 23:38

Affected Product

Vendor saleor

Product saleor

Version >= 3.22.0-a.0, < 3.22.29

Affected Versions saleor saleor >= 3.22.0-a.0, < 3.22.29
saleor saleor >= 3.21.0-a.0, < 3.21.45
saleor saleor >= 3.2.0, < 3.20.110

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.",
    "published": "2026-01-23T23:38:31.414Z",
    "modified": "2026-01-23T23:38:31.414Z",
    "type": "cve",
    "title": "Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API",
    "source": "GitHub_M",
    "references": "https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr\nhttps://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa\nhttps://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af\nhttps://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153\nhttps://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944",
    "id": "CVE-2026-24136",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "saleor saleor >= 3.22.0-a.0, < 3.22.29\nsaleor saleor >= 3.21.0-a.0, < 3.21.45\nsaleor saleor >= 3.2.0, < 3.20.110",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "saleor",
    "version": ">= 3.22.0-a.0, < 3.22.29",
    "vendor": "saleor",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API_CVE-2026-24136