CVE-2026-33756
Published: 08 April 2026
Summary
CVE-2026-33756 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Saleor Saleor. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents denial-of-service from resource exhaustion by enforcing limits on excessive GraphQL query batching in single HTTP requests.
Restricts the quantity of GraphQL operations allowable in a single batched HTTP request to block bypass of per-query complexity limits.
Ensures resource availability by monitoring and allocating resources to counter exhaustion from unbounded query batches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables application exhaustion flood attacks (T1499.003) via unbounded GraphQL batching and facilitates exploitation of the public-facing application for denial of service (T1499.004).
NVD Description
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the…
more
number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Deeper analysisAI
CVE-2026-33756 is a resource exhaustion vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) in the Saleor e-commerce platform. Affecting versions from 2.0.0 up to but excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the issue arises from Saleor's GraphQL query batching feature, which allows multiple operations to be submitted in a single HTTP request as a JSON array without enforcing an upper limit on the number of operations. This design permits attackers to bypass per-query complexity limits through excessive batch sizes.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required (CVSS v3.1: 7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By crafting a single HTTP request containing a large number of GraphQL operations, they can overwhelm server resources, leading to denial-of-service conditions through resource exhaustion.
The vulnerability is addressed in Saleor releases 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Mitigation details are provided in the following GitHub commit patches: https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64, https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8, https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a, https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa, and https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464. Organizations should upgrade to these versions promptly to prevent exploitation.
Details
- CWE(s)