CVE-2026-33756

Source
https://cve.org/CVERecord?id=CVE-2026-33756
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33756.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33756
Aliases
  • GHSA-24jw-f244-qfpp
Published
2026-04-08T17:07:57.920Z
Modified
2026-07-08T08:12:26.876606966Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching
Details

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33756.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/saleor/saleor

Affected ranges

Type
GIT
Repo
https://github.com/saleor/saleor
Events
Database specific
{
    "cpe": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "3.20.118"
        },
        {
            "introduced": "3.21.0"
        },
        {
            "fixed": "3.21.54"
        },
        {
            "introduced": "3.22.0"
        },
        {
            "fixed": "3.22.47"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

3.*
3.21.0
3.21.1
3.21.10
3.21.11
3.21.12
3.21.13
3.21.14
3.21.15
3.21.16
3.21.17
3.21.18
3.21.19
3.21.2
3.21.20
3.21.21
3.21.22
3.21.23
3.21.24
3.21.25
3.21.26
3.21.27
3.21.28
3.21.29
3.21.3
3.21.30
3.21.31
3.21.32
3.21.33
3.21.34
3.21.35
3.21.36
3.21.37
3.21.38
3.21.39
3.21.4
3.21.40
3.21.41
3.21.42
3.21.43
3.21.44
3.21.45
3.21.46
3.21.47
3.21.48
3.21.49
3.21.5
3.21.50
3.21.51
3.21.52
3.21.53
3.21.6
3.21.7
3.21.8
3.21.9
3.22.0
3.22.1
3.22.10
3.22.11
3.22.12
3.22.13
3.22.14
3.22.15
3.22.16
3.22.17
3.22.18
3.22.19
3.22.2
3.22.20
3.22.21
3.22.22
3.22.23
3.22.24
3.22.25
3.22.26
3.22.27
3.22.28
3.22.29
3.22.3
3.22.30
3.22.31
3.22.32
3.22.33
3.22.34
3.22.35
3.22.36
3.22.37
3.22.38
3.22.39
3.22.4
3.22.40
3.22.41
3.22.42
3.22.43
3.22.44
3.22.45
3.22.46
3.22.5
3.22.6
3.22.7
3.22.8
3.22.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33756.json"