{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T17:43:20.716","vulnerabilities":[{"cve":{"id":"CVE-2026-24136","sourceIdentifier":"security-advisories@github.com","published":"2026-01-24T00:15:49.167","lastModified":"2026-02-12T16:15:00.550","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF."},{"lang":"es","value":"Saleor es una plataforma de comercio electrónico. Las versiones 3.2.0 a 3.20.109, 3.21.0-a.0 a 3.21.44 y 3.22.0-a.0 a 3.22.28 tienen una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) que permite a actores no autenticados extraer información sensible en texto plano. Los pedidos creados antes de Saleor 3.2.0 podrían haber tenido PIIs exfiltrados. El problema ha sido parcheado en las versiones de Saleor: 3.22.29, 3.21.45 y 3.20.110. Como solución alternativa, bloquee temporalmente a los usuarios que no son personal de obtener información de pedidos (la consulta GraphQL order()) usando un WAF."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.0","versionEndExcluding":"3.20.110","matchCriteriaId":"1D519693-9F38-49CC-A2AA-7A707AE921C4"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.21.0","versionEndExcluding":"3.21.45","matchCriteriaId":"CD9EA08A-C411-4D72-B4DB-27FAC65202A6"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.22.0","versionEndExcluding":"3.22.29","matchCriteriaId":"72EB08B2-3E6B-40B7-AFE2-783A7FDDFAA3"}]}]}],"references":[{"url":"https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}