cvedb.io
CVE-2026-33756
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-08T18:26:00.700 · Last modified 2026-06-17T10:38:02.703

Summary

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Affected products

saleor — saleor

Does this affect you?

Add your gear to cvedb and we'll alert you only when saleor ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.