CVE-2026-35407 (GCVE-0-2026-35407)
Vulnerability from cvelistv5 – Published: 2026-04-08 17:24 – Updated: 2026-04-10 20:36
VLAI?
Title
Saleor has Cross-Account Email Change via Unbound Confirmation Token
Summary
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account’s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T20:35:42.746646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T20:36:19.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saleor",
"vendor": "saleor",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 3.20.118"
},
{
"status": "affected",
"version": "\u003e= 3.21.0-a.0, \u003c 3.21.54"
},
{
"status": "affected",
"version": "\u003e= 3.22.0-a.0, \u003c 3.22.47"
},
{
"status": "affected",
"version": "\u003e= 3.23.0-a.0, \u003c 3.23.0a3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account\u2019s email address is then updated to the token\u0027s new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:39.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p"
},
{
"name": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"
},
{
"name": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"
},
{
"name": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"
},
{
"name": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"
},
{
"name": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"
}
],
"source": {
"advisory": "GHSA-hwph-9537-mc3p",
"discovery": "UNKNOWN"
},
"title": "Saleor has Cross-Account Email Change via Unbound Confirmation Token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35407",
"datePublished": "2026-04-08T17:24:39.716Z",
"dateReserved": "2026-04-02T17:03:42.075Z",
"dateUpdated": "2026-04-10T20:36:19.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-35407\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-08T19:25:24.040\",\"lastModified\":\"2026-04-10T21:16:25.723\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account\u2019s email address is then updated to the token\u0027s new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"references\":[{\"url\":\"https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35407\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T20:35:42.746646Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T20:36:14.051Z\"}}], \"cna\": {\"title\": \"Saleor has Cross-Account Email Change via Unbound Confirmation Token\", \"source\": {\"advisory\": \"GHSA-hwph-9537-mc3p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"saleor\", \"product\": \"saleor\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.10.0, \u003c 3.20.118\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.21.0-a.0, \u003c 3.21.54\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.22.0-a.0, \u003c 3.22.47\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.23.0-a.0, \u003c 3.23.0a3\"}]}], \"references\": [{\"url\": \"https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p\", \"name\": \"https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64\", \"name\": \"https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8\", \"name\": \"https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a\", \"name\": \"https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa\", \"name\": \"https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464\", \"name\": \"https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account\\u2019s email address is then updated to the token\u0027s new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-08T17:24:39.716Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-35407\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T20:36:19.733Z\", \"dateReserved\": \"2026-04-02T17:03:42.075Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-08T17:24:39.716Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…