CVE-2026-35407

MEDIUM

Saleor has Cross-Account Email Change via Unbound Confirmation Token

Title source: cna

Description

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account’s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

References (6)

[X_Refsource_Confirm] https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p

[X_Refsource_Misc] https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8

[X_Refsource_Misc] https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a

[X_Refsource_Misc] https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa

[X_Refsource_Misc] https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-285

Status published

Products (6)

saleor/saleor 3.23.0 (4 CPE variants)

saleor/saleor 2.10.0 - 3.20.118

saleor/saleor >= 2.10.0, < 3.20.118

saleor/saleor >= 3.21.0-a.0, < 3.21.54

saleor/saleor >= 3.22.0-a.0, < 3.22.47

saleor/saleor >= 3.23.0-a.0, < 3.23.0a3

Published Apr 08, 2026

Tracked Since Apr 09, 2026