CVE-2026-33756— Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33756
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching
Source: NVD (National Vulnerability Database)
Vulnerability Description
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
saleor 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
saleor是Saleor Commerce开源的一个接口软件。 saleor 3.23.0a3之前版本、3.22.47之前版本、3.21.54之前版本和3.20.118之前版本存在安全漏洞,该漏洞源于未对GraphQL批处理操作数量设置上限,可能导致资源耗尽。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
II. Public POCs for CVE-2026-33756
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7633 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-33756
请登录查看更多情报信息。
Same Patch Batch · saleor · 2026-04-08 · 4 CVEs total
| CVE-2026-35401 | 7.5 HIGH | Saleor has a resource exhaustion vulnerability in GraphQL queries |
| CVE-2026-35407 | Saleor has Cross-Account Email Change via Unbound Confirmation Token | |
| CVE-2026-39851 | Saleor has a user enumeration vulnerability due to different error messages |
IV. Related Vulnerabilities
Same product: saleor
- CVE-2026-39851
Saleor has a user enumeration vulnerability due to different - CVE-2026-35407
Saleor has Cross-Account Email Change via Unbound Confirmati - CVE-2026-35401
Saleor has a resource exhaustion vulnerability in GraphQL qu - CVE-2026-24136
Saleor has an Insecure Direct Object Reference (IDOR) in Gra - CVE-2026-23499
Saleor vulnerable to stored XSS via Unrestricted File Upload
Same vendor: saleor
- CVE-2026-39851
Saleor has a user enumeration vulnerability due to different - CVE-2026-35407
Saleor has Cross-Account Email Change via Unbound Confirmati - CVE-2026-35401
Saleor has a resource exhaustion vulnerability in GraphQL qu - CVE-2026-24136
Saleor has an Insecure Direct Object Reference (IDOR) in Gra - CVE-2026-23499
Saleor vulnerable to stored XSS via Unrestricted File Upload
Same weakness: CWE-770
- CVE-2026-42294
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in W - CVE-2026-42189
Russh: Pre-auth DoS via unbounded allocation in keyboard-int - CVE-2026-42793
Atom table exhaustion via attacker-controlled GraphQL SDL na - CVE-2026-44499
ZEBRA: Permanent Block Discovery Halt via Gossip Queue Satur - CVE-2026-44500
ZEBRA: Allocation Amplification in Inbound Network Deseriali
V. Comments for CVE-2026-33756
No comments yet