📄 Description (English)
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
🤖 AI Executive Summary
Saleor e-commerce platform versions 3.2.0-3.20.109, 3.21.0-3.21.44, and 3.22.0-3.22.28 contain an Insecure Direct Object Reference (IDOR) vulnerability allowing unauthenticated attackers to extract sensitive customer information including Personally Identifiable Information (PII) in plain text. This vulnerability affects orders across multiple versions and poses significant risk to Saudi e-commerce operators handling customer data. Patches are available and immediate patching is strongly recommended.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 4, 2026 14:16
🇸🇦 Saudi Arabia Impact Assessment
Saudi e-commerce operators, particularly those in retail, fashion, and online marketplaces (Noon, Zando, local SME retailers) are at high risk. Financial impact includes potential exposure of customer PII (names, addresses, phone numbers, email addresses, order history), leading to regulatory fines under PDPL (Personal Data Protection Law), reputational damage, and customer trust erosion. Banking and payment sectors are indirectly affected if integrated with vulnerable Saleor instances. Government e-commerce initiatives and digital transformation projects using Saleor are also at risk. SAMA-regulated fintech companies offering e-commerce solutions face compliance violations.
🏢 Affected Saudi Sectors
E-commerce and Retail
Banking and Financial Services
Government and Public Sector
Telecommunications
Healthcare (if using Saleor for medical supplies)
Logistics and Supply Chain
SME Digital Transformation Initiatives
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application: IDOR vulnerability in Saleor GraphQL API
T1526 - Enumerate External Targets: Order ID enumeration to extract customer data
T1589 - Gather Victim Identity Information: Extraction of customer PII (names, addresses, emails)
T1213 - Data from Information Repositories: Unauthorized access to order database
T1040 - Network Sniffing: Potential interception of unencrypted PII in transit
T1087 - Account Discovery: Enumeration of customer accounts via order queries
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Saleor instances in your environment and verify versions against affected ranges (3.2.0-3.20.109, 3.21.0-3.21.44, 3.22.0-3.22.28)
2. Implement WAF rules to block non-staff users from accessing the order() GraphQL query endpoint immediately as temporary mitigation
3. Audit access logs for suspicious order data extraction attempts (GraphQL queries to order() endpoint from non-authenticated sources)
4. Notify customers if PII exposure is confirmed; prepare breach notification per PDPL requirements
PATCHING GUIDANCE:
1. Upgrade to patched versions: 3.22.29, 3.21.45, or 3.20.110 depending on current version
2. Test patches in staging environment before production deployment
3. Schedule maintenance window for patching (coordinate with business stakeholders)
4. Verify patch application by confirming version numbers post-upgrade
COMPENSATING CONTROLS (if patching delayed):
1. Implement strict WAF rules blocking GraphQL order() queries from non-authenticated users
2. Enable API rate limiting on GraphQL endpoints
3. Implement IP whitelisting for order query access
4. Deploy API gateway authentication enforcement
5. Monitor GraphQL query logs for anomalous patterns
DETECTION RULES:
1. Alert on GraphQL order() queries from unauthenticated sources
2. Monitor for bulk order ID enumeration attempts (sequential ID requests)
3. Track failed authentication attempts followed by order query attempts
4. Log and alert on unusual geographic access patterns to order data
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Saleor في بيئتك وتحقق من الإصدارات مقابل النطاقات المتأثرة (3.2.0-3.20.109، 3.21.0-3.21.44، 3.22.0-3.22.28)
2. طبق قواعد WAF لحظر المستخدمين غير الموظفين من الوصول إلى نقطة نهاية GraphQL للطلب فوراً كتخفيف مؤقت
3. قم بتدقيق سجلات الوصول لمحاولات استخراج بيانات الطلبات المريبة (استعلامات GraphQL إلى نقطة الطلب من مصادر غير مصرح لها)
4. أخطر العملاء إذا تم تأكيد تعرض البيانات الشخصية؛ جهز إشعار الانتهاك وفقاً لمتطلبات قانون حماية البيانات الشخصية
إرشادات التصحيح:
1. قم بالترقية إلى الإصدارات المصححة: 3.22.29 أو 3.21.45 أو 3.20.110 حسب الإصدار الحالي
2. اختبر التصحيحات في بيئة التجريب قبل نشر الإنتاج
3. جدول نافذة صيانة للتصحيح (تنسيق مع أصحاب المصلحة في الأعمال)
4. تحقق من تطبيق التصحيح بتأكيد أرقام الإصدارات بعد الترقية
الضوابط البديلة (إذا تأخر التصحيح):
1. طبق قواعد WAF صارمة تحظر استعلامات GraphQL للطلب من مستخدمين غير مصرح لهم
2. فعّل تحديد معدل API على نقاط نهاية GraphQL
3. طبق القائمة البيضاء للعناوين IP لوصول استعلام الطلب
4. نشر فرض المصادقة على بوابة API
5. راقب سجلات استعلام GraphQL للأنماط الشاذة
قواعد الكشف:
1. تنبيه على استعلامات GraphQL للطلب من مصادر غير مصرح لها
2. مراقبة محاولات تعداد معرف الطلب الضخمة (طلبات معرف متسلسلة)
3. تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات استعلام الطلب
4. تسجيل والتنبيه على أنماط الوصول الجغرافية غير المعتادة لبيانات الطلب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control: Unauthorized access to customer order data violates access control requirements
ECC 2024 A.5.2.1 - User Authentication: IDOR allows unauthenticated access, violating authentication controls
ECC 2024 A.6.1.2 - Confidentiality: PII exposure violates data confidentiality requirements
ECC 2024 A.7.1.1 - Audit Logging: Insufficient logging of unauthorized access attempts
🔵 SAMA CSF
SAMA CSF ID.AM-1: Asset Management - Identify and manage e-commerce systems using Saleor
SAMA CSF PR.AC-1: Access Control - Implement proper authentication and authorization
SAMA CSF PR.DS-1: Data Security - Protect customer PII from unauthorized disclosure
SAMA CSF DE.AE-1: Anomalies and Events - Detect unauthorized order data access attempts
SAMA CSF RC.RP-1: Response Planning - Prepare incident response for data breach scenarios
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User Access Management: Inadequate access controls allowing IDOR
ISO 27001:2022 A.5.3 - Access Control: Insufficient authentication mechanisms
ISO 27001:2022 A.8.2 - Confidentiality: PII exposure violates confidentiality objectives
ISO 27001:2022 A.8.3 - Integrity: Unauthorized access to order data affects integrity
ISO 27001:2022 A.12.4 - Logging: Insufficient audit trails for unauthorized access
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall Configuration: WAF rules required to block unauthorized order queries
PCI DSS 2.1 - Default Credentials: Ensure Saleor instances use strong authentication
PCI DSS 6.5.1 - Injection Flaws: GraphQL IDOR is an authorization bypass vulnerability
PCI DSS 7.1 - Access Control: Restrict order data access to authorized personnel only
PCI DSS 10.2 - Logging: Log all access attempts to order data for audit purposes
🔗 References & Sources 5
🔗
https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa
security-advisories@github.com
Patch
🔗
https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af
security-advisories@github.com
Patch
🔗
https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153
security-advisories@github.com
Patch
🔗
https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944
security-advisories@github.com
Patch
🔗
https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr
security-advisories@github.com
Vendor Advisory
📦 Affected Products / CPE 3 entries
saleor:saleor
saleor:saleor
saleor:saleor