CVE-2026-24136
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Saleor e-commerce platform that allows unauthenticated attackers to access sensitive order information in plain text. The vulnerability affects orders created before Saleor 3.2.0, potentially exposing personally identifiable information (PII). All Saleor instances running vulnerable versions are affected.
💻 Affected Systems
- Saleor e-commerce platform
📦 What is this software?
Saleor by Saleor
Saleor by Saleor
Saleor by Saleor
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of customer PII including names, addresses, payment information, and order history leading to identity theft, financial fraud, and regulatory violations.
Likely Case
Unauthorized access to customer order data containing PII, potentially violating GDPR/CCPA compliance and damaging customer trust.
If Mitigated
Limited or no data exposure with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation involves manipulating GraphQL queries to access unauthorized order data. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.22.29, 3.21.45, 3.20.110
Vendor Advisory: https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr
Restart Required: Yes
Instructions:
1. Backup your Saleor instance and database. 2. Update Saleor to patched version using pip: 'pip install saleor==3.22.29' (or appropriate version). 3. Apply database migrations: 'python manage.py migrate'. 4. Restart the Saleor service.
🔧 Temporary Workarounds
WAF Rule to Block Order Queries
allTemporarily block non-staff users from accessing the order() GraphQL query using Web Application Firewall rules.
🧯 If You Can't Patch
- Implement strict access controls on GraphQL endpoints to verify user authorization before processing order queries.
- Monitor and alert on unusual patterns of order data access, especially from unauthenticated or external sources.
🔍 How to Verify
Check if Vulnerable:
Check Saleor version with: 'python -c "import saleor; print(saleor.__version__)"' and compare against affected ranges.Check Version:
python -c "import saleor; print(saleor.__version__)"Verify Fix Applied:
After patching, attempt to access order data as unauthenticated user via GraphQL query to confirm access is denied.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful order queries
- Unusual volume of order() GraphQL queries from single IP
- Order data access from unauthenticated sessions
Network Indicators:
- GraphQL queries to order endpoint without authentication headers
- Unusual patterns in GraphQL query structure targeting order data
SIEM Query:
source="saleor_logs" AND (query="order" OR query="order()") AND user="anonymous" | stats count by src_ip🔗 References
- https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa
- https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af
- https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153
- https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944
- https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr
