CVE-2026-23499 Overview
CVE-2026-23499 is a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting Saleor, a popular open-source e-commerce platform. The vulnerability allows authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing JavaScript code. When these files are served from the same domain as the dashboard without proper security headers, attackers can execute malicious scripts in the context of other users' browsers.
Critical Impact
Malicious staff members can craft script injections targeting other staff members, potentially stealing access tokens and refresh tokens, leading to complete account compromise.
Affected Products
- Saleor versions 3.0.0 through 3.20.107
- Saleor versions 3.21.0 through 3.21.42
- Saleor versions 3.22.0 through 3.22.26
Discovery Timeline
- 2026-01-21 - CVE CVE-2026-23499 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-23499
Vulnerability Analysis
This vulnerability stems from insufficient validation of uploaded file types in Saleor's file upload functionality. The platform allowed authenticated staff users and API applications to upload arbitrary files without proper content-type restrictions. When malicious HTML or SVG files containing embedded JavaScript are uploaded and subsequently served from the same domain as the Saleor dashboard, the browser executes the malicious scripts with full access to the user's session context.
The attack is particularly dangerous in deployment configurations where media files are hosted under the same domain as the dashboard (e.g., example.com/media/ alongside example.com/dashboard/). In such scenarios, the same-origin policy does not protect against the malicious scripts, allowing them to access cookies, session storage, and other sensitive data belonging to the dashboard application.
Root Cause
The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). Saleor lacked proper file type validation and MIME type enforcement for uploaded files. The platform failed to:
- Restrict file uploads to safe MIME types only
- Validate actual file content against declared file types
- Enforce Content-Disposition: attachment headers for served files
- Implement proper Content Security Policy for media files
Attack Vector
The attack requires network access and authentication as a staff user or API application. An attacker would:
- Authenticate to the Saleor platform with staff credentials
- Upload a malicious SVG or HTML file containing JavaScript payload
- Share or embed the link to the uploaded file with target users
- When victims access the file, the JavaScript executes in their browser context
- The malicious script can steal access tokens, refresh tokens, or perform actions on behalf of the victim
The security patches introduce proper file type validation and MIME type checking:
class UploadErrorCode(Enum):
GRAPHQL_ERROR = "graphql_error"
+ INVALID_FILE_TYPE = "invalid_file_type"
+ UNSUPPORTED_MIME_TYPE = "unsupported_mime_type"
class CoreErrorCode(Enum):
Source: Saleor Commit #77f7927
The view layer was also updated to add proper file handling and logging:
+import logging
import os
-from django.http import JsonResponse
+from django.conf import settings
+from django.http import FileResponse, Http404, HttpRequest, HttpResponse, JsonResponse
from django.template.response import TemplateResponse
+from django.views.static import serve
from .jwt_manager import get_jwt_manager
+logger = logging.getLogger(__name__)
def home(request):
storefront_url = os.environ.get("STOREFRONT_URL", "")
Source: Saleor Commit #7d33efc
Detection Methods for CVE-2026-23499
Indicators of Compromise
- Unusual file uploads with .svg, .html, or .htm extensions containing script tags or JavaScript event handlers
- Staff user accounts uploading multiple files with similar naming patterns or suspicious content
- Access logs showing staff members accessing media URLs that were uploaded by other users
- Browser console errors or unusual network requests originating from media file URLs
Detection Strategies
- Monitor file upload endpoints for suspicious file types including SVG, HTML, and XML files containing script elements
- Implement server-side scanning of uploaded files for embedded JavaScript, event handlers, and malicious content patterns
- Review web server access logs for patterns indicating exploitation attempts, such as direct access to uploaded media files from dashboard sessions
- Deploy web application firewall rules to detect and block uploads containing script content in file bodies
Monitoring Recommendations
- Enable detailed logging for all file upload operations including user identity, file type, and file content hashes
- Set up alerts for uploads of potentially dangerous file types from staff accounts
- Monitor for token theft indicators such as unexpected session invalidations or credential changes
- Implement Content Security Policy violation reporting to detect attempted script execution from media domains
How to Mitigate CVE-2026-23499
Immediate Actions Required
- Upgrade to patched Saleor versions: 3.22.27, 3.21.43, or 3.20.108 immediately
- Audit existing uploaded media files for malicious HTML and SVG content
- Revoke and rotate all staff access tokens and refresh tokens as a precaution
- Review staff user activity logs for suspicious file upload patterns
Patch Information
Security patches have been released in Saleor versions 3.22.27, 3.21.43, and 3.20.108. The patches introduce new error codes (INVALID_FILE_TYPE and UNSUPPORTED_MIME_TYPE) to properly validate and reject dangerous file uploads. Multiple commits address the vulnerability:
For complete details, see the GitHub Security Advisory GHSA-666h-2p49-pg95 and Saleor Restricted File Uploads documentation.
Workarounds
- Configure CDN or reverse proxy to return Content-Disposition: attachment header for all media files, forcing browsers to download rather than render files
- Host media files on a separate domain (e.g., media.example.com) isolated from the dashboard domain to leverage same-origin policy protection
- Block HTML and SVG file uploads at the web server or CDN level until patches can be applied
- Implement a Content Security Policy for media files: Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';
# Nginx configuration example for Content-Disposition header
location /media/ {
add_header Content-Disposition "attachment" always;
add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
