CVE-2026-24136

Name of the Vulnerable Software and Affected Versions Saleor versions 3.2.0 through 3.20.109 Saleor versions 3.21.0-a.0 through 3.21.44 Saleor versions 3.22.0-a.0 through 3.22.28

Description Saleor, an e-commerce platform, is affected by an Insecure Direct Object Reference (IDOR) issue. This allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 may have Personally Identifiable Information (PII) exfiltrated. The issue allows unauthorized access to data through direct object references.

Recommendations Update to Saleor version 3.22.29. Update to Saleor version 3.21.45. Update to Saleor version 3.20.110. Temporarily block non-staff users from fetching order information using the order() GraphQL query with a Web Application Firewall (WAF).