CVE-2026-35407

Name of the Vulnerable Software and Affected Versions Saleor versions 2.10.0 through 3.22.47, 3.21.54, and 3.20.118

Description A business-logic and authorization flaw exists in the account email change workflow. The confirmation flow does not verify that the email change confirmation token was issued for the authenticated user. A valid email-change token generated for one account can be replayed while authenticated as a different account, leading to unauthorized email address modification. The new email within the token is used to update the second account’s email address, even if the token was not originally intended for that account.

Recommendations Update to Saleor version 3.23.0a3 or later. Update to Saleor version 3.22.47 or later. Update to Saleor version 3.21.54 or later. Update to Saleor version 3.20.118 or later.