Vulnerability Report

CVE-2026-39851

Title: Email Enumeration via Error Messages

Input Validation Error

Proof Of Concept

No public PoC currently indexed for CVE-2026-39851.

CWE Category CWE-204
Published Date Apr 08, 2026
Modified Date Apr 20, 2026
Exploit Status Not Found
Score 5.3 CVSS v4.0
Exploit Probability (EPSS)
0.24%

Vulnerability Summary

CVE-2026-39851: Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Impacted Vendors

M
mirumee 1
S
saleor 1

Reference Links

https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64 https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8 https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464 https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7
CVSS v4.0
Source Entity [email protected]
Severity MEDIUM
5.3
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
N/A
RAW VECTOR CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1
Source Entity [email protected]
Severity MEDIUM
4.3
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-39851 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Stack

No specific products linked.