Low severityNVD Advisory· Published Mar 2, 2023· Updated Mar 5, 2025

Saleor is vulnerable to unauthenticated information disclosure via Python exceptions

CVE-2023-26052

Description

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. This issue has been patched in versions 3.1.48, 3.7.59, 3.8.0, 3.9.27, 3.10.14 and 3.11.12.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
saleorPyPI	>= 2.0.0, < 3.1.48	3.1.48
saleorPyPI	>= 3.11.0, < 3.11.12	3.11.12
saleorPyPI	>= 3.10.0, < 3.10.14	3.10.14
saleorPyPI	>= 3.9.0, < 3.9.27	3.9.27
saleorPyPI	>= 3.8.0, < 3.8.30	3.8.30
saleorPyPI	>= 3.7.0, < 3.7.59	3.7.59

Affected products

Saleor/Saleorv5
Range: >= 2.0.0, < 3.1.48

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-3hvj-3cg9-v242ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-26052ghsaADVISORY
github.com/saleor/saleor/releases/tag/3.1.48ghsax_refsource_MISCWEB
github.com/saleor/saleor/releases/tag/3.10.14ghsax_refsource_MISCWEB
github.com/saleor/saleor/releases/tag/3.11.12ghsax_refsource_MISCWEB
github.com/saleor/saleor/releases/tag/3.7.59ghsax_refsource_MISCWEB
github.com/saleor/saleor/releases/tag/3.8.30ghsax_refsource_MISCWEB
github.com/saleor/saleor/releases/tag/3.9.27ghsax_refsource_MISCWEB
github.com/saleor/saleor/security/advisories/GHSA-3hvj-3cg9-v242ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000