{"id":"CVE-2026-35401","summary":"Saleor has a resource exhaustion vulnerability in GraphQL queries","details":"Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.","aliases":["GHSA-gqqv-xwx3-jj4h"],"modified":"2026-07-08T08:07:10.876814971Z","published":"2026-04-08T17:22:10.683Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35401.json","cwe_ids":["CWE-770"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35401.json"},{"type":"ADVISORY","url":"https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35401"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saleor/saleor","events":[{"introduced":"6c0861e12fcf01a00b6290391d1907b60c4d7b18"},{"fixed":"e570cf75807a6a27268e8559d8cca54ae466b192"},{"introduced":"85cf5208a1d017db74dc4d1e89c3e5e8d6685513"},{"fixed":"07f6ffdb6b37f289bbfd5810c0b27f992f4c7838"},{"introduced":"6cfb77430ddbc53f48dfd3462fbefaad4e8c3d45"},{"fixed":"d0f9abb5f47c0642829b60207593e878506d97f3"}],"database_specific":{"extracted_events":[{"introduced":"2.0.0"},{"fixed":"3.20.118"},{"introduced":"3.21.0"},{"fixed":"3.21.54"},{"introduced":"3.22.0"},{"fixed":"3.22.47"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*"}}],"versions":["3.22.16","3.21.53","3.22.46","3.21.52","3.22.45","3.22.44","3.22.43","3.21.51","3.22.42","3.21.50","3.22.41","3.22.40","3.22.39","3.22.38","3.22.37","3.22.36","3.22.35","3.22.34","3.22.33","3.21.49","3.22.32","3.21.48","3.21.47","3.22.31","3.21.46","3.22.30","3.21.45","3.22.29","3.22.28","3.21.44","3.22.27","3.21.43","3.21.42","3.22.26","3.21.41","3.22.25","3.22.24","3.21.40","3.22.23","3.22.22","3.21.39","3.22.21","3.21.38","3.22.20","3.21.37","3.22.19","3.22.18","3.22.17","3.21.36","3.21.35","3.22.15","3.22.14","3.22.13","3.21.34","3.22.12","3.22.11","3.21.33","3.22.10","3.21.32","3.21.31","3.22.9","3.22.8","3.21.30","3.22.7","3.21.29","3.22.6","3.21.28","3.22.5","3.21.27","3.22.4","3.21.26","3.22.3","3.22.2","3.21.25","3.22.1","3.21.24","3.21.23","3.22.0","3.21.22","3.21.21","3.21.20","3.21.19","3.21.18","3.21.17","3.21.16","3.21.15","3.21.14","3.21.13","3.21.12","3.21.11","3.21.10","3.21.9","3.21.8","3.21.7","3.21.6","3.21.5","3.21.4","3.21.3","3.21.2","3.21.1","3.21.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35401.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}