{"id":"CVE-2026-33756","summary":"Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching","details":"Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.","aliases":["GHSA-24jw-f244-qfpp"],"modified":"2026-07-08T08:12:26.876606966Z","published":"2026-04-08T17:07:57.920Z","database_specific":{"cwe_ids":["CWE-770"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33756.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33756.json"},{"type":"ADVISORY","url":"https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33756"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saleor/saleor","events":[{"introduced":"6c0861e12fcf01a00b6290391d1907b60c4d7b18"},{"fixed":"e570cf75807a6a27268e8559d8cca54ae466b192"},{"introduced":"85cf5208a1d017db74dc4d1e89c3e5e8d6685513"},{"fixed":"07f6ffdb6b37f289bbfd5810c0b27f992f4c7838"},{"introduced":"6cfb77430ddbc53f48dfd3462fbefaad4e8c3d45"},{"fixed":"d0f9abb5f47c0642829b60207593e878506d97f3"},{"fixed":"7be352fa8c35875d6e66d36493ca7c14c101bd64"},{"fixed":"cdb66da97abb7c86939e384914cd8d9194f378e8"},{"fixed":"d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"},{"fixed":"e42aa4d6e588982e78942b033af051c8ec8f43fa"},{"fixed":"f0371bdd4cafcc841f1a9e7049cead6133bf7464"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.0.0"},{"fixed":"3.20.118"},{"introduced":"3.21.0"},{"fixed":"3.21.54"},{"introduced":"3.22.0"},{"fixed":"3.22.47"}]}}],"versions":["3.22.16","3.21.53","3.22.46","3.21.52","3.22.45","3.22.44","3.22.43","3.21.51","3.22.42","3.21.50","3.22.41","3.22.40","3.22.39","3.22.38","3.22.37","3.22.36","3.22.35","3.22.34","3.22.33","3.21.49","3.22.32","3.21.48","3.21.47","3.22.31","3.21.46","3.22.30","3.21.45","3.22.29","3.22.28","3.21.44","3.22.27","3.21.43","3.21.42","3.22.26","3.21.41","3.22.25","3.22.24","3.21.40","3.22.23","3.22.22","3.21.39","3.22.21","3.21.38","3.22.20","3.21.37","3.22.19","3.22.18","3.22.17","3.21.36","3.21.35","3.22.15","3.22.14","3.22.13","3.21.34","3.22.12","3.22.11","3.21.33","3.22.10","3.21.32","3.21.31","3.22.9","3.22.8","3.21.30","3.22.7","3.21.29","3.22.6","3.21.28","3.22.5","3.21.27","3.22.4","3.21.26","3.22.3","3.22.2","3.21.25","3.22.1","3.21.24","3.21.23","3.22.0","3.21.22","3.21.21","3.21.20","3.21.19","3.21.18","3.21.17","3.21.16","3.21.15","3.21.14","3.21.13","3.21.12","3.21.11","3.21.10","3.21.9","3.21.8","3.21.7","3.21.6","3.21.5","3.21.4","3.21.3","3.21.2","3.21.1","3.21.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33756.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}