CVE-2026-35401 Overview
Saleor is an open-source e-commerce platform built with Python and GraphQL. A resource exhaustion vulnerability exists in Saleor versions from 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. This vulnerability allows a malicious actor to include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in server resource exhaustion and potential denial of service.
Critical Impact
Unauthenticated attackers can exhaust server resources through crafted GraphQL requests, potentially causing service disruption for legitimate e-commerce customers and business operations.
Affected Products
- Saleor versions 2.0.0 to before 3.20.118
- Saleor versions 3.21.x before 3.21.54
- Saleor versions 3.22.x before 3.22.47
- Saleor versions 3.23.x before 3.23.0a3
Discovery Timeline
- 2026-04-08 - CVE-2026-35401 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35401
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The Saleor GraphQL API lacks proper request complexity analysis and rate limiting mechanisms that would prevent abuse through batched operations.
GraphQL's flexibility allows clients to request multiple operations in a single HTTP request using aliases (allowing the same query/mutation to be called multiple times with different names) or by chaining sequential mutations. Without proper safeguards, an attacker can craft requests containing hundreds or thousands of operations, forcing the server to process all of them before returning a response.
The attack does not require authentication, meaning any network-accessible Saleor instance running vulnerable versions is at risk. The vulnerability can be exploited remotely with low attack complexity, requiring no user interaction. While the confidentiality and integrity of data remain unaffected, the availability impact is significant as server resources become exhausted.
Root Cause
The root cause is the absence of query complexity limits and batch operation restrictions in the Saleor GraphQL implementation. The platform does not enforce:
- Maximum query depth validation
- Operation cost analysis before execution
- Limits on the number of aliases per request
- Restrictions on chained mutations within a single request
- Rate limiting based on request complexity
Attack Vector
An attacker exploits this vulnerability by sending specially crafted GraphQL requests to the Saleor API endpoint. The attack can be executed in two primary ways:
Alias Abuse: Using GraphQL aliases, an attacker can execute the same query or mutation multiple times within a single request. Each alias triggers a separate execution cycle, consuming server CPU, memory, and database connections.
Mutation Chaining: By chaining numerous mutations in sequence, the attacker forces the server to process each operation sequentially, holding resources for extended periods.
The vulnerability is exploited by constructing a GraphQL request with an excessive number of aliased operations or chained mutations. For example, an attacker might send a single request containing hundreds of productCreate mutations with unique aliases, overwhelming the server's processing capacity. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35401
Indicators of Compromise
- Abnormally large GraphQL request payloads to the /graphql/ endpoint
- High frequency of requests from single IP addresses targeting the GraphQL API
- Server resource spikes (CPU, memory, database connections) coinciding with GraphQL traffic
- Slow response times or timeouts affecting the e-commerce platform
- Log entries showing requests with unusually high numbers of aliases or operations
Detection Strategies
- Implement request body size monitoring for GraphQL endpoints to detect oversized payloads
- Deploy Web Application Firewall (WAF) rules to inspect GraphQL request structure and flag requests with excessive aliases
- Configure alerting for sudden increases in GraphQL query execution time
- Monitor server resource utilization patterns and correlate with API traffic logs
- Analyze network traffic for repeated patterns consistent with automated exploitation attempts
Monitoring Recommendations
- Enable detailed logging for the Saleor GraphQL API including request complexity metrics
- Set up baseline metrics for normal GraphQL query patterns to identify anomalies
- Implement real-time alerting for resource utilization thresholds on application servers
- Monitor database connection pool usage for unusual spikes during GraphQL request processing
How to Mitigate CVE-2026-35401
Immediate Actions Required
- Upgrade Saleor to a patched version: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 depending on your release branch
- Implement rate limiting at the load balancer or WAF level for the GraphQL endpoint
- Configure request body size limits to prevent excessively large GraphQL payloads
- Monitor server resources and GraphQL API performance for signs of exploitation attempts
- Review access logs for evidence of prior exploitation
Patch Information
The vulnerability is fixed in Saleor versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Users should upgrade to the appropriate patched version for their release branch. For complete details on the security fix, see the GitHub Security Advisory.
Workarounds
- Deploy a GraphQL-aware WAF or API gateway that can enforce query depth and complexity limits
- Implement rate limiting at the infrastructure level (e.g., nginx, load balancer) for the /graphql/ endpoint
- Configure maximum request body size limits to restrict oversized GraphQL payloads
- Consider implementing IP-based throttling for unauthenticated GraphQL requests
- Use a reverse proxy to add query complexity analysis before requests reach Saleor
# Example nginx rate limiting configuration for GraphQL endpoint
limit_req_zone $binary_remote_addr zone=graphql_limit:10m rate=10r/s;
location /graphql/ {
limit_req zone=graphql_limit burst=20 nodelay;
client_max_body_size 100k;
proxy_pass http://saleor_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
