CVE-2026-23499
📋 TL;DR
This vulnerability allows authenticated staff users or apps in Saleor e-commerce platform to upload malicious HTML/SVG files containing JavaScript. When these files are served from the same domain as the dashboard without proper restrictions, they can execute scripts in users' browsers, potentially stealing access tokens. Only deployments hosting media files on the same domain as the dashboard are affected.
💻 Affected Systems
- Saleor
📦 What is this software?
Saleor by Saleor
Saleor by Saleor
Saleor by Saleor
⚠️ Risk & Real-World Impact
Worst Case
Malicious staff members could steal access/refresh tokens from other staff members, leading to complete account takeover and potential data breaches.
Likely Case
Authenticated attackers with staff privileges could execute cross-site scripting attacks against other staff users, compromising their sessions.
If Mitigated
With proper Content-Disposition headers or separate media domains, files download instead of executing, preventing script injection.
🎯 Exploit Status
Requires authenticated staff user or app access. Exploitation involves uploading malicious HTML/SVG files and tricking victims to access them.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.20.108, 3.21.43, 3.22.27
Vendor Advisory: https://docs.saleor.io/security/#restricted-file-uploads
Restart Required: Yes
Instructions:
1. Backup your Saleor instance. 2. Update to patched version using pip: 'pip install saleor==3.22.27' (or appropriate version). 3. Apply database migrations if needed. 4. Restart the application server.
🔧 Temporary Workarounds
Configure Content-Disposition Header
allSet servers hosting media files (CDN/reverse proxy) to return Content-Disposition: attachment header to force file downloads instead of browser rendering.
nginx: add_header Content-Disposition attachment;
Apache: Header set Content-Disposition attachment
Block HTML/SVG File Serving
allPrevent servers from returning HTML and SVG files from media directories.
nginx: location ~* \.(html|svg)$ { deny all; }
Apache: <FilesMatch "\.(html|svg)$"> Require all denied </FilesMatch>
Implement Content Security Policy
allSet strict CSP headers for media files to prevent script execution.
add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';";
🧯 If You Can't Patch
- Host media files on separate domain/subdomain from dashboard (e.g., media.example.com instead of example.com/media/)
- Implement all three workarounds simultaneously for defense in depth
🔍 How to Verify
Check if Vulnerable:
Check if Saleor version is between 3.0.0-3.20.107, 3.21.0-3.21.42, or 3.22.0-3.22.26 AND media files are served from same domain as dashboard.Check Version:
python -c "import saleor; print(saleor.__version__)"Verify Fix Applied:
Verify version is 3.20.108+, 3.21.43+, or 3.22.27+. Test by uploading HTML file and checking if it downloads with Content-Disposition header instead of rendering.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/SVG file uploads by staff users
- Multiple file upload attempts with script-like content
Network Indicators:
- HTML/SVG files served from media endpoints without Content-Disposition headers
- Cross-origin requests from media to dashboard domains
SIEM Query:
source="saleor" AND (event="file_upload" AND file_extension IN ("html", "svg")) | stats count by user🔗 References
- https://docs.saleor.io/security/#restricted-file-uploads
- https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99
- https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10
- https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
- https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c
- https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24
- https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95
