PT-2026-31347 · Saleor · Saleor

Published

2026-04-08

Updated

2026-04-08

CVE-2026-33756

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Saleor versions 2.0.0 through 3.22.47

Description Saleor, an e-commerce platform, allowed an unauthenticated attacker to exhaust resources by sending a single HTTP request containing multiple GraphQL operations. The platform supported query batching via a JSON array of operations but lacked a limit on the number of operations allowed. This bypassed the per-query complexity limit.

Recommendations Update to version 3.23.0a3 or later. Update to version 3.22.47 or later. Update to version 3.21.54 or later. Update to version 3.20.118 or later.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2026-33756

Affected Products

Saleor

PT-2026-31347 · Saleor · Saleor

CVE-2026-33756

Weakness Enumeration

Related Identifiers

Affected Products

References · 8