CVE-2026-35401

High

Published: 08 April 2026

Published

08 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 18.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35401 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Saleor Saleor. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection directly prevents resource exhaustion by implementing limits on request size, complexity, or rate at API entry points exploited by oversized GraphQL calls.

SC-6 Resource Availability good match

prevent

Resource availability ensures controlled allocation of CPU, memory, and other resources to thwart single requests from consuming disproportionate system capacity via chained mutations or aliases.

SI-9 Information Input Restrictions good match

prevent

Information input restrictions at boundaries limit the size, depth, or number of operations in GraphQL requests to block excessive resource allocation without throttling.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables Application Exhaustion Flood by allowing a single oversized GraphQL request with numerous aliased mutations/queries to exhaust server resources and cause DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This…

vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Deeper analysisAI

CVE-2026-35401 affects the Saleor e-commerce platform, versions from 2.0.0 up to but excluding 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. The vulnerability enables a malicious actor to include numerous GraphQL mutations or queries within a single API call by leveraging aliases or chaining multiple mutations, resulting in resource exhaustion. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact.

Unauthenticated attackers with network access can exploit this remotely with low complexity and no user interaction. By crafting a single oversized GraphQL request, they trigger excessive resource consumption on the server, leading to denial-of-service conditions that impair service availability.

The official Saleor security advisory (GHSA-gqqv-xwx3-jj4h) at https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h confirms the issue and states that it is fixed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Security practitioners should prioritize upgrading affected instances to mitigate the risk.