PYSEC-2026-1890

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/saleor/PYSEC-2026-1890.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1890
Aliases
Published
2026-07-07T11:45:36.931543Z
Modified
2026-07-07T17:47:49.343758113Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Saleor: Customers' addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method
Details

Summary

Using Pickup: Local stock only as a click-and-collect points could cause a leak of customer addresses

Details

When using Pickup: Local stock only click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address.

Impact

The vulnerability can cause the leak of customer's address when using click-and-collect delivery option marked as Local stock only. It has impact on all orders with click-and-collect delivery method marked as Pickup:Local stock only The affected versions: >=3.14.56 <3.14.61, >=3.15.31 <3.15.37, >=3.16.27 <3.16.34, >=3.17.25 <3.17.32, >=3.18.19 <3.18.28, >=3.19.5 <3.19.15 This issue has been patched in versions: 3.14.61, 3.15.37, 3.16.34, 3.17.32, 3.18.28, 3.19.15

Workaround

We strongly recommend upgrading to the latest versions, in case of inability to upgrade straight away, possible workarounds are: - turn off click-and-collect delivery method on warehouse view when Pickup option is set to Local stock only. - cherry-pick the changes from PRs: https://github.com/saleor/saleor/pull/15694 & https://github.com/saleor/saleor/pull/15697

References

  • Commits introducing the issue (https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761 main, https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26 3.14, https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640 3.15, https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c 3.16, https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4 3.17, https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182 3.18, https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95 3.19)
  • https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b (main branch) https://github.com/saleor/saleor/releases/tag/3.14.60 https://github.com/saleor/saleor/releases/tag/3.14.61 https://github.com/saleor/saleor/releases/tag/3.15.36 https://github.com/saleor/saleor/releases/tag/3.15.37 https://github.com/saleor/saleor/releases/tag/3.16.33 https://github.com/saleor/saleor/releases/tag/3.16.34 https://github.com/saleor/saleor/releases/tag/3.17.31 https://github.com/saleor/saleor/releases/tag/3.17.32 https://github.com/saleor/saleor/releases/tag/3.18.27 https://github.com/saleor/saleor/releases/tag/3.18.28 https://github.com/saleor/saleor/releases/tag/3.19.14 https://github.com/saleor/saleor/releases/tag/3.19.15
References

Affected packages

PyPI / saleor

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.14.56
Fixed
3.14.61
Introduced
3.15.31
Fixed
3.15.37
Introduced
3.16.27
Fixed
3.16.34
Introduced
3.17.25
Fixed
3.17.32
Introduced
3.18.19
Fixed
3.18.28
Introduced
3.19.5
Fixed
3.19.15

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/saleor/PYSEC-2026-1890.yaml"