{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35401/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35401"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-35401","graphql","resource-exhaustion","denial-of-service","saleor"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35401 details a resource exhaustion vulnerability affecting the Saleor e-commerce platform. Present in versions 2.0.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the flaw allows an unauthenticated, remote attacker to exhaust server resources. This is achieved by sending a single API call containing numerous GraphQL mutations or queries, leveraging aliases or chaining techniques. The excessive processing load induced by these malicious requests can lead to a denial-of-service (DoS) condition. Organizations using vulnerable Saleor versions are at risk of service disruption, potentially impacting business operations and revenue. Mitigation involves upgrading to the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Saleor e-commerce platform running a vulnerable version (2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL query or mutation containing numerous aliased or chained operations. This is done to maximize server-side processing load.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GraphQL request to the Saleor platform\u0026rsquo;s API endpoint, typically \u003ccode\u003e/graphql/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Saleor server attempts to process all the queries/mutations within the single request.\u003c/li\u003e\n\u003cli\u003eThe server resources (CPU, memory, database connections) are rapidly consumed by the excessive processing demand.\u003c/li\u003e\n\u003cli\u003eThe server becomes slow and unresponsive, potentially timing out for legitimate user requests.\u003c/li\u003e\n\u003cli\u003eThe Saleor e-commerce platform experiences a denial-of-service condition, disrupting service for legitimate customers.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process to maintain the denial-of-service state, further impacting business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35401 leads to resource exhaustion on the Saleor e-commerce platform, resulting in a denial-of-service condition. This disruption can impact online sales, customer experience, and brand reputation. The number of affected systems depends on the prevalence of vulnerable Saleor installations. While the exact number of victims is unknown, any e-commerce business using an unpatched version is susceptible to service outages. Prolonged or repeated attacks can lead to significant financial losses and damage to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Saleor e-commerce platforms to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to patch CVE-2026-35401.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/graphql/\u003c/code\u003e API endpoint to mitigate the impact of excessive requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious GraphQL Volume\u003c/code\u003e to identify potential exploitation attempts based on request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:23Z","date_published":"2026-04-08T19:25:23Z","id":"/briefs/2026-04-saleor-graphql-exhaustion/","summary":"A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.","title":"Saleor GraphQL Resource Exhaustion Vulnerability (CVE-2026-35401)","url":"https://feed.craftedsignal.io/briefs/2026-04-saleor-graphql-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-35401","version":"https://jsonfeed.org/version/1.1"}