{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33756/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33756"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","graphql","cve-2026-33756","dos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSaleor, an e-commerce platform, is susceptible to a resource exhaustion vulnerability affecting versions 2.0.0 prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. This vulnerability stems from the platform\u0026rsquo;s support for query batching, where multiple GraphQL operations can be submitted in a single HTTP request as a JSON array. The absence of an upper limit on the number of operations within a single request allows unauthenticated attackers to bypass per-query complexity limits. By sending a single HTTP request containing a massive number of GraphQL operations, an attacker can exhaust server resources, potentially leading to denial of service. The vulnerability is addressed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Defenders must ensure they are running patched versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Saleor instance running a vulnerable version (prior to 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the GraphQL endpoint (typically \u003ccode\u003e/graphql/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request body contains a JSON array representing a batch of GraphQL queries.\u003c/li\u003e\n\u003cli\u003eThe number of GraphQL operations within the array is excessively large, designed to bypass query complexity limits.\u003c/li\u003e\n\u003cli\u003eThe Saleor server processes the HTTP request, attempting to execute all GraphQL operations within the batch.\u003c/li\u003e\n\u003cli\u003eDue to the large number of operations, the server\u0026rsquo;s resources (CPU, memory) become heavily utilized.\u003c/li\u003e\n\u003cli\u003eThe server becomes slow or unresponsive to legitimate user requests, causing a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to maintain the denial-of-service state, impacting legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in resource exhaustion on the Saleor e-commerce platform. This can lead to slow response times, application instability, and ultimately a denial-of-service condition for legitimate users. This vulnerability poses a significant risk to e-commerce businesses relying on Saleor, potentially impacting sales, customer satisfaction, and overall business operations. The number of potential victims is directly proportional to the number of Saleor installations running vulnerable versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Saleor instances to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 or later to patch CVE-2026-33756.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Volume of GraphQL Queries\u003c/code\u003e to identify potential exploitation attempts by monitoring the number of GraphQL queries within a single HTTP request in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally large HTTP POST requests to the \u003ccode\u003e/graphql/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the GraphQL endpoint to restrict the number of requests from a single IP address within a defined timeframe.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T12:00:00Z","date_published":"2026-04-09T12:00:00Z","id":"/briefs/2026-04-saleor-resource-exhaustion/","summary":"Unauthenticated attackers can exploit a resource exhaustion vulnerability (CVE-2026-33756) in Saleor e-commerce platform versions before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 by sending a single HTTP request with a large number of GraphQL operations, bypassing query complexity limits and exhausting server resources.","title":"Saleor GraphQL Batch Query Resource Exhaustion Vulnerability (CVE-2026-33756)","url":"https://feed.craftedsignal.io/briefs/2026-04-saleor-resource-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33756","version":"https://jsonfeed.org/version/1.1"}