CVE-2023-26051 MEDIUM

CVE-2023-26051: Saleor is vulnerable to staff-authenticated error message information disclosure vulnerability via Python exceptions

Vendor Saleor

Product saleor

Weakness CWE-209 · Error message info leak

Published March 2, 2023

Last update March 5, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.

Key dates

Disclosure timeline

March 2, 2023 CVE published

March 5, 2025 Record updated

Identifiers

CVE CVE-2023-26051

CWE CWE-209

CVSS 6.5 / MEDIUM

Affected versions

Vendor Saleor

Product saleor

Affected >= 2.0.0, < 3.1.48

Vendor Saleor

Product saleor

Affected >= 3.11.0, < 3.11.12

Vendor Saleor

Product saleor

Affected >= 3.10.0, < 3.10.14

Vendor Saleor

Product saleor

Affected >= 3.9.0, < 3.9.27

Vendor Saleor

Product saleor

Affected >= 3.8.0, < 3.8.30

Vendor Saleor

Product saleor

Affected >= 3.7.0, < 3.7.59