{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35407", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.075Z", "datePublished": "2026-04-08T17:24:39.716Z", "dateUpdated": "2026-04-10T20:36:19.733Z"}, "containers": {"cna": {"title": "Saleor has Cross-Account Email Change via Unbound Confirmation Token", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p"}, {"name": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"}, {"name": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"}, {"name": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"}, {"name": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"}, {"name": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}], "affected": [{"vendor": "saleor", "product": "saleor", "versions": [{"version": ">= 2.10.0, < 3.20.118", "status": "affected"}, {"version": ">= 3.21.0-a.0, < 3.21.54", "status": "affected"}, {"version": ">= 3.22.0-a.0, < 3.22.47", "status": "affected"}, {"version": ">= 3.23.0-a.0, < 3.23.0a3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:24:39.716Z"}, "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account\u2019s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "source": {"advisory": "GHSA-hwph-9537-mc3p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:35:42.746646Z", "id": "CVE-2026-35407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:36:19.733Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-35407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:35:42.746646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:36:14.051Z"}}], "cna": {"title": "Saleor has Cross-Account Email Change via Unbound Confirmation Token", "source": {"advisory": "GHSA-hwph-9537-mc3p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "saleor", "product": "saleor", "versions": [{"status": "affected", "version": ">= 2.10.0, < 3.20.118"}, {"status": "affected", "version": ">= 3.21.0-a.0, < 3.21.54"}, {"status": "affected", "version": ">= 3.22.0-a.0, < 3.22.47"}, {"status": "affected", "version": ">= 3.23.0-a.0, < 3.23.0a3"}]}], "references": [{"url": "https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p", "name": "https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64", "name": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8", "name": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a", "name": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa", "name": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464", "name": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account\u2019s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:24:39.716Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35407", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:36:19.733Z", "dateReserved": "2026-04-02T17:03:42.075Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T17:24:39.716Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account\u2019s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "id": "CVE-2026-35407", "lastModified": "2026-04-10T21:16:25.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:24.040", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.0,3.20.118)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.21.0-a.0,3.21.54)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.22.0-a.0,3.22.47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.23.0-a.0,3.23.0a3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "saleor", "source": "cna", "vendor": "saleor"}, "product": "saleor", "vendor": "saleor"}], "analysis": {"en": {"generated_at": "2026-04-08T21:27:17.602361+00:00", "value": {"mitigation_remediation": ["Upgrade Saleor to version 3.23.0a3 or later, which includes the token validation fix.", "Confirm that the deployed instance is on a patched release; review the release notes or version metadata.", "If an upgrade is not immediately possible, monitor for unexpected email-change activity and consider disabling or restricting the email-change feature until a patch is applied."], "summary": {"action": "Patch", "impact": "Unauthorized Email Change"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Saleor e-commerce platform versions starting from 2.10.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 contain the fix and later releases inherit the patch.", "description_and_impact": "A business-logic and authorization defect in Saleor\u2019s account-email-change workflow allows a token generated for one user to be applied while logged in as a different user. Because the confirmation token is not verified against the currently authenticated account, the second account\u2019s email address is overwritten with the new_email value from the token. This results in an unauthorized change of a user\u2019s email address, potentially disrupting account recovery or notification processes; this consequence is inferred from the nature of the change.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. An attacker must possess a valid email-change confirmation token for one account and be authenticated as a different account to exploit the flaw. The attack can be carried out through the normal account-management interface, making it a relatively straightforward authenticated privilege escalation within the platform."}}}}, "created": "2026-04-08T20:12:50.192319+00:00", "updated": "2026-04-09T08:28:04.834862+00:00", "vendors": ["saleor", "saleor$PRODUCT$saleor"]}