{"id":"CVE-2026-35407","summary":"Saleor has Cross-Account Email Change via Unbound Confirmation Token","details":"Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticated user. As a result, a valid email-change token generated for one account can be replayed while authenticated as a different account. The second account’s email address is then updated to the token's new_email, even though that token was never issued for that account. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.","aliases":["GHSA-hwph-9537-mc3p"],"modified":"2026-07-08T08:12:58.289929312Z","published":"2026-04-08T17:24:39.716Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35407.json","cwe_ids":["CWE-285"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35407.json"},{"type":"ADVISORY","url":"https://github.com/saleor/saleor/security/advisories/GHSA-hwph-9537-mc3p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35407"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saleor/saleor","events":[{"introduced":"0935d4e6e251fad97213f11311bc2a2150e3efd9"},{"fixed":"e570cf75807a6a27268e8559d8cca54ae466b192"},{"introduced":"8151200bc3657b4c9d77244298313f2727d1f674"},{"fixed":"07f6ffdb6b37f289bbfd5810c0b27f992f4c7838"},{"introduced":"6cfb77430ddbc53f48dfd3462fbefaad4e8c3d45"},{"fixed":"d0f9abb5f47c0642829b60207593e878506d97f3"},{"introduced":"e11a5557eff29fbb2eed36e6ff3cd0af08ab9e10"},{"fixed":"7be352fa8c35875d6e66d36493ca7c14c101bd64"},{"fixed":"cdb66da97abb7c86939e384914cd8d9194f378e8"},{"fixed":"d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a"},{"fixed":"e42aa4d6e588982e78942b033af051c8ec8f43fa"},{"fixed":"f0371bdd4cafcc841f1a9e7049cead6133bf7464"}],"database_specific":{"cpe":["cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","cpe:2.3:a:saleor:saleor:3.23.0:*:*:*:*:*:*:*","cpe:2.3:a:saleor:saleor:3.23.0:a0:*:*:*:*:*:*","cpe:2.3:a:saleor:saleor:3.23.0:a1:*:*:*:*:*:*","cpe:2.3:a:saleor:saleor:3.23.0:a2:*:*:*:*:*:*"],"source":["CPE_RANGE","CPE_STRING","REFERENCES"],"extracted_events":[{"introduced":"2.10.0"},{"fixed":"3.20.118"},{"introduced":"3.20.119"},{"fixed":"3.21.54"},{"introduced":"3.22.0"},{"fixed":"3.22.47"},{"introduced":"3.23.0"},{"last_affected":"3.23.0"},{"introduced":"3.23.0-a0"},{"last_affected":"3.23.0-a0"},{"introduced":"3.23.0-a1"},{"last_affected":"3.23.0-a1"},{"introduced":"3.23.0-a2"},{"last_affected":"3.23.0-a2"}]}}],"versions":["3.23.0","3.23.0-a0","3.23.0-a1","3.23.0-a2","3.22.16","3.21.53","3.22.46","3.20.117","3.23.0-a.2","3.20.116","3.21.52","3.22.45","3.23.0-a.1","3.22.44","3.23.0-a.0","3.22.43","3.20.115","3.21.51","3.22.42","3.20.114","3.21.50","3.22.41","3.22.40","3.22.39","3.22.38","3.22.37","3.22.36","3.22.35","3.22.34","3.20.113","3.22.33","3.21.49","3.22.32","3.21.48","3.20.112","3.20.111","3.21.47","3.22.31","3.21.46","3.22.30","3.20.110","3.21.45","3.22.29","3.22.28","3.21.44","3.20.109","3.20.108","3.22.27","3.21.43","3.21.42","3.22.26","3.20.107","3.21.41","3.22.25","3.22.24","3.20.106","3.21.40","3.22.23","3.22.22","3.21.39","3.22.21","3.20.105","3.21.38","3.22.20","3.21.37","3.22.19","3.22.18","3.22.17","3.21.36","3.21.35","3.22.15","3.22.14","3.22.13","3.21.34","3.22.12","3.22.11","3.21.33","3.22.10","3.21.32","3.20.104","3.21.31","3.22.9","3.20.103","3.22.8","3.21.30","3.20.102","3.22.7","3.21.29","3.22.6","3.21.28","3.22.5","3.21.27","3.22.4","3.21.26","3.20.101","3.22.3","3.22.2","3.21.25","3.20.100","3.22.1","3.21.24","3.21.23","3.22.0","3.21.22","3.20.99","3.21.21","3.21.20","3.21.19","3.21.18","3.21.17","3.21.16","3.21.15","3.20.98","3.21.14","3.21.13","3.21.12","3.20.97","3.21.11","3.21.10","3.20.96","3.21.9","3.20.95","3.20.94","3.21.8","3.21.7","3.20.93","3.21.6","3.20.92","3.21.5","3.20.91","3.21.4","3.20.90","3.21.3","3.20.89","3.21.2","3.21.1","3.21.0","3.20.88","3.21.0-a.6","3.21.0-a.5","3.21.0-a.4","3.20.87","3.20.86","3.20.85","3.20.84","3.20.83","3.21.0-a.0","3.20.82","3.20.81","3.20.80","3.20.79","3.20.78","3.20.77","3.20.76","3.20.75","3.17.69","3.20.74","3.20.73","3.20.72","3.20.71","3.20.70","3.20.69","3.20.68","3.20.67","3.20.66","3.20.65","3.20.64","3.20.63","3.20.62","3.20.61","3.20.60","3.20.59","3.20.58","3.20.57","3.20.56","3.20.55","3.20.54","3.20.53","3.20.52","3.20.51","3.20.50","3.20.49","3.20.48","3.20.47","3.20.46","3.20.45","3.20.44","3.20.43","3.20.42","3.20.41","3.20.40","3.20.39","3.20.38","3.20.37","3.20.36","3.20.35","3.20.34","3.20.33","3.20.32","3.20.31","3.20.30","3.20.29","3.20.28","3.20.27","3.20.26","3.20.25","3.20.24","3.20.23","3.20.22","3.20.19","3.20.21","3.20.20","3.20.18","3.20.17","3.20.16","3.20.15","3.20.14","3.20.13","3.20.12","3.20.11","3.14.84","3.20.10","3.20.9","3.20.8","3.20.7","3.20.6","3.20.5","3.20.4","3.20.3","3.20.2","3.20.1","3.20.0","3.20.0-a.1","3.20.0-a.0","3.16.42","3.15.41","3.14.67","3.19.0-a.0","3.18.0-a.0","3.17.0-a.0","3.16.0-a.0","3.15.0-a.0","3.13.0-a.0","3.12.0-a.0","3.11.0-a.0","3.2.0","3.0.0-a.0","2.10.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35407.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}