CVE-2023-26052 LOW

CVE-2023-26052: Saleor is vulnerable to unauthenticated information disclosure via Python exceptions

Vendor Saleor

Product saleor

Weakness CWE-209 · Error message info leak

Published March 2, 2023

Last update March 5, 2025

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. This issue has been patched in versions 3.1.48, 3.7.59, 3.8.0, 3.9.27, 3.10.14 and 3.11.12.

Key dates

Disclosure timeline

March 2, 2023 CVE published

March 5, 2025 Record updated

Identifiers

CVE CVE-2023-26052

CWE CWE-209

CVSS 3.7 / LOW

Affected versions

Vendor Saleor

Product saleor

Affected >= 2.0.0, < 3.1.48

Vendor Saleor

Product saleor

Affected >= 3.11.0, < 3.11.12

Vendor Saleor

Product saleor

Affected >= 3.10.0, < 3.10.14

Vendor Saleor

Product saleor

Affected >= 3.9.0, < 3.9.27

Vendor Saleor

Product saleor

Affected >= 3.8.0, < 3.8.30

Vendor Saleor

Product saleor

Affected >= 3.7.0, < 3.7.59