CVE-2026-24136

High

Published: 24 January 2026

Published

24 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0002 4.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24136 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Saleor Saleor. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-24 Access Control Decisions

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

AC-3 Access Enforcement

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

IDOR in public-facing GraphQL endpoint of web app directly enables remote unauthenticated data access/exfil from the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor…

3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.

Deeper analysisAI

CVE-2026-24136 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the Saleor open-source e-commerce platform. It impacts versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44, and 3.22.0-a.0 through 3.22.28. The flaw enables unauthenticated actors to extract sensitive information, including personally identifiable information (PII), in plain text via the order() GraphQL query, particularly for orders created before Saleor 3.2.0. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no privileges required.

Unauthenticated attackers can exploit this IDOR remotely over the network with low complexity, without user interaction. By manipulating the order() GraphQL query, they can directly reference and retrieve details of arbitrary orders, leading to the exfiltration of PII from legacy orders predating version 3.2.0. No authentication or staff privileges are needed, making it accessible to any remote adversary.

Saleor has addressed the issue in patched versions 3.22.29, 3.21.45, and 3.20.110, with fixes detailed in corresponding GitHub commits and the security advisory GHSA-r6fj-f4r9-36gr. As a temporary workaround, administrators can use a Web Application Firewall (WAF) to block non-staff users from accessing the order() GraphQL query. Security practitioners should prioritize upgrading affected instances and review access logs for suspicious GraphQL queries.