{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33756", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.125Z", "datePublished": "2026-04-08T17:07:57.920Z", "dateUpdated": "2026-04-08T18:42:28.521Z"}, "containers": {"cna": {"title": "Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp"}, {"name": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"}, {"name": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"}, {"name": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"}, {"name": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"}, {"name": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464", "tags": ["x_refsource_MISC"], "url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}], "affected": [{"vendor": "saleor", "product": "saleor", "versions": [{"version": ">= 2.0.0, < 3.20.118", "status": "affected"}, {"version": ">= 3.21.0-a.0, < 3.21.54", "status": "affected"}, {"version": ">= 3.22.0-a.0, < 3.22.47", "status": "affected"}, {"version": ">= 3.23.0-a.0, < 3.23.0a3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:07:57.920Z"}, "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "source": {"advisory": "GHSA-24jw-f244-qfpp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:42:19.130571Z", "id": "CVE-2026-33756", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:42:28.521Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118."}], "id": "CVE-2026-33756", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T18:26:00.700", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}, {"source": "security-advisories@github.com", "url": "https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,3.20.118)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.21.0-a.0,3.21.54)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.22.0-a.0,3.22.47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.23.0-a.0,3.23.0a3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "saleor", "source": "cna", "vendor": "saleor"}, "product": "saleor", "vendor": "saleor"}], "analysis": {"en": {"generated_at": "2026-04-08T18:50:34.745499+00:00", "value": {"mitigation_remediation": ["Upgrade Saleor to version 3.23.0a3 or later, or to the patched releases 3.22.47, 3.21.54, or 3.20.118.", "If an upgrade is not immediately possible, configure a limit on the maximum number of operations in a batched request at the API gateway or load balancer to prevent resource exhaustion.", "Continuously monitor incoming GraphQL requests for unusually large batch sizes and block or rate\u2011limit suspicious traffic."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Saleor e\u2011commerce platform. All releases from 2.0.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 are susceptible. Those specific releases have been patched to restrict the maximum number of batched operations.", "description_and_impact": "Saleor allows a client to batch multiple GraphQL operations in a single HTTP request as a JSON array. No upper limit was enforced on the number of operations, which meant an unauthenticated user could submit a single request containing many operations. This bypasses the per\u2011query complexity limit and can exhaust server resources, leading to degraded performance or a complete denial of service. The weakness is categorized as unbounded resource consumption (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting that while the condition is not currently widely exploited, it could be leveraged by an attacker with minimal effort. The likely attack vector is an unauthenticated external request, so any system exposed to public traffic could be targeted. Exploiting this requires no special authentication or privilege and only involves sending a crafted batch request to the GraphQL endpoint."}}}}, "created": "2026-04-08T19:26:42.304396+00:00", "updated": "2026-04-08T19:38:54.843105+00:00", "vendors": ["saleor", "saleor$PRODUCT$saleor"]}