Cross-Account Email Change Exploit in Saleor E-Commerce Platform

Read Time: 2 minutes
Share
Facebook Linkedin Youtube Pinterest

Written by: Zeeshan Ahmed

Table of Contents

Add us as a preferred source on Google »

On April 8 2026, a new vulnerability (CVE-2026-35407) was disclosed by the CVE feed, affecting Saleor’s e-commerce platform. This flaw allows attackers to hijack user accounts and alter email addresses without proper authorization.

What We Know

According to News Source:

  • Saleor versions 2.10.0 through 3.20.118 contain a business-logic and authorization flaw in the account email change workflow.
  • The confirmation flow fails to verify that an email-change token was issued for the authenticated user.
  • A valid token generated for one account can be replayed while logged in as another, causing the second account’s email to update to the token’s new_email.
  • The vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Business Impact

This flaw can compromise a company’s customer data integrity and trust:

  • Account hijacking: attackers could change the email of an active user, enabling unauthorized access to sensitive account information.
  • Fraudulent transactions: altered emails may trigger fraud alerts or disrupt payment processes.
  • Regulatory risk: mishandled personal data may violate GDPR, PCI DSS, or other compliance standards, leading to fines and reputational damage.

For SMB owners, a single compromised email could affect a few customers; for enterprises, the impact scales with the number of users and transaction volume.

What To Do

  1. Patch Immediately: Deploy the latest Saleor releases (3.23.0a3 or newer) within 24–48 hours if possible.
  2. Audit Existing Accounts: Identify any accounts that may have had email changes without proper confirmation; review logs for suspicious token usage.
  3. Enforce Token Verification: Implement a policy that validates the token’s issuer before allowing email updates, even in legacy systems.
  4. Monitor Email Change Requests: Use automated alerts to flag unusual or unauthorized email change attempts.
  5. Backup and Rollback: If patching is delayed, temporarily isolate affected instances or revert to a previous secure version until the fix is available.

If immediate patching isn’t feasible, consider isolating affected systems and applying interim safeguards like manual verification steps.

The Bigger Picture

This vulnerability highlights an emerging trend of authorization flaws in e-commerce platforms. As businesses increasingly rely on online sales channels, ensuring robust token validation becomes essential to safeguard user data.

How We Can Help

DefendMyBusiness collaborates with 400+ technology providers to tailor security solutions for your organization. Reach out at https://defendmybusiness.com/contact or use our free security scan tool for a quick assessment.

Sources

Picture of Zeeshan Ahmed

Zeeshan Ahmed

Unlock Expert Insights