CVE-2026-39851 Overview
CVE-2026-39851 is an information disclosure vulnerability in Saleor, an open-source e-commerce platform built with Python and GraphQL. The vulnerability exists in the requestEmailChange() GraphQL mutation, which inadvertently reveals the existence of user email addresses through error messages. This allows attackers to enumerate valid email addresses registered on the platform, potentially facilitating targeted phishing attacks or credential stuffing campaigns.
Critical Impact
Attackers can enumerate valid user email addresses on Saleor e-commerce platforms, enabling targeted phishing campaigns, credential stuffing attacks, and customer privacy violations.
Affected Products
- Saleor versions 2.10.0 to 3.20.117 (fixed in 3.20.118)
- Saleor versions 3.21.0 to 3.21.53 (fixed in 3.21.54)
- Saleor versions 3.22.0 to 3.22.46 (fixed in 3.22.47)
- Saleor versions 3.23.0a0 to 3.23.0a2 (fixed in 3.23.0a3)
Discovery Timeline
- April 8, 2026 - CVE-2026-39851 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39851
Vulnerability Analysis
This vulnerability is classified as CWE-204 (Observable Response Discrepancy), a type of information disclosure flaw where the application returns different responses based on internal state, allowing attackers to infer sensitive information. In the case of CVE-2026-39851, the requestEmailChange() mutation in Saleor's GraphQL API returns distinct error messages when a user attempts to change their email address to one that already exists in the system versus one that does not.
The flaw enables user enumeration attacks where an attacker can systematically query the API with different email addresses and analyze the response messages to determine which emails are registered on the platform. This type of vulnerability is particularly concerning for e-commerce platforms where customer data privacy is paramount.
Root Cause
The root cause lies in the error handling logic within the requestEmailChange() mutation. Prior to the fix, the application would check if the requested email address was already registered and return an explicit error message indicating the email was in use. This created an observable difference in API responses that could be exploited for enumeration.
The security patches introduced a new JWT token type (JWT_CONFIRM_CHANGE_EMAIL_TYPE = "confirm-email-change") and improved the error handling to provide consistent responses regardless of whether an email exists in the system. Additionally, logging improvements were added to the confirm_email_change.py mutation handler.
Attack Vector
The attack can be executed remotely over the network by any authenticated user (low privilege required). An attacker would:
- Authenticate to the Saleor platform with any valid account
- Send requestEmailChange() mutations with target email addresses
- Analyze the error responses to differentiate between existing and non-existing emails
- Compile a list of valid email addresses for further attacks
# Security patch in saleor/core/jwt.py - introduces new JWT type for email change confirmation
JWT_ACCESS_TYPE = "access"
JWT_REFRESH_TYPE = "refresh"
+JWT_CONFIRM_CHANGE_EMAIL_TYPE = "confirm-email-change"
JWT_THIRDPARTY_ACCESS_TYPE = "thirdparty"
JWT_REFRESH_TOKEN_COOKIE_NAME = "refreshToken"
Source: GitHub Commit
Detection Methods for CVE-2026-39851
Indicators of Compromise
- Abnormally high volume of requestEmailChange GraphQL mutation requests from a single user or IP address
- Repeated failed email change requests with different target email addresses in rapid succession
- API access patterns indicating systematic enumeration behavior (sequential or dictionary-based email testing)
Detection Strategies
- Monitor GraphQL query logs for excessive requestEmailChange mutation calls with varying email parameters
- Implement rate limiting on the requestEmailChange endpoint to detect and throttle enumeration attempts
- Set up alerting for authentication patterns that suggest automated scripting against user account mutations
- Analyze WAF logs for patterns consistent with user enumeration attacks
Monitoring Recommendations
- Configure logging to capture all requestEmailChange mutation attempts with source IP and user context
- Establish baseline metrics for email change requests and alert on statistical anomalies
- Implement real-time monitoring dashboards for GraphQL API abuse patterns
- Enable audit logging for all account-related mutations to support forensic investigation
How to Mitigate CVE-2026-39851
Immediate Actions Required
- Upgrade Saleor to the latest patched version corresponding to your branch (3.20.118, 3.21.54, 3.22.47, or 3.23.0a3)
- Review API access logs for evidence of prior enumeration attempts against the requestEmailChange mutation
- Implement rate limiting on GraphQL mutations as an additional defense layer
- Consider enabling CAPTCHA or similar bot-detection mechanisms for sensitive account operations
Patch Information
Security patches have been released across multiple Saleor branches. The fix introduces a new JWT token type for email change confirmation (JWT_CONFIRM_CHANGE_EMAIL_TYPE) and modifies the error handling to prevent information leakage. The patches can be found in the following commits:
For complete details, see the GitHub Security Advisory GHSA-m3rm-m4vq-27x7.
Workarounds
- Implement a Web Application Firewall (WAF) rule to rate-limit requestEmailChange mutations per user/session
- Deploy GraphQL query complexity limiting to prevent bulk enumeration attempts
- Add a uniform response delay to the email change endpoint to mask timing differences
- Consider temporarily disabling the email change functionality until patching is complete
# Example nginx rate limiting configuration for GraphQL endpoint
limit_req_zone $binary_remote_addr zone=graphql_limit:10m rate=10r/m;
location /graphql/ {
limit_req zone=graphql_limit burst=5 nodelay;
proxy_pass http://saleor_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
