Saleor

v3.21.59 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 12d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 6 known CVEs

Topics

cart checkout commerce composable e-commerce ecommerce

+12 more

graphql headless headless-commerce multichannel oms order-management payments pim python shop shopping-cart store

Affected surfaces

auth deps

ReleasePort's take

Light signal

editorial:auto 12d

The release upgrades pyjwt to v2.13.0 and idna to v3.15, fixing multiple GHSA vulnerabilities and CVE-2026-45409 respectively.

Why it matters: Patching these dependencies resolves five GHSA security issues in pyjwt and prevents a DoS via crafted inputs in idna (CVE-2026-45409).

Summary

AI summary

Updates GHSA-xgmm-8j9v-c9wx, GHSA-jq35-7prp-9v3f, and GHSA-w7vc-732c-9m39 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Upgraded pyjwt to v2.13.0 fixes GHSA-xgmm-8j9v-c9wx, GHSA-jq35-7prp-9v3f, GHSA-w7vc-732c-9m39, GHSA-993g-76c3-p5m4, GHSA-fhv5-28vv-h8m8 security vulnerabilities. Upgraded pyjwt to v2.13.0 fixes GHSA-xgmm-8j9v-c9wx, GHSA-jq35-7prp-9v3f, GHSA-w7vc-732c-9m39, GHSA-993g-76c3-p5m4, GHSA-fhv5-28vv-h8m8 security vulnerabilities. Source: llm_adapter@2026-05-22 Confidence: high	—
Security	Medium	Upgraded idna to v3.15 fixes CVE-2026-45409 preventing DoS via crafted inputs. Upgraded idna to v3.15 fixes CVE-2026-45409 preventing DoS via crafted inputs. Source: llm_adapter@2026-05-22 Confidence: high	—

Full changelog

What's Changed

Upgraded pyjwt to v2.13.0 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19235 - fixes:
- GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret (algorithm confusion)
- GHSA-jq35-7prp-9v3f: Algorithm allow-list bypass with PyJWK / PyJWKClient
- GHSA-w7vc-732c-9m39: DoS via base64 decode of unused payload segment when b64=false
- GHSA-993g-76c3-p5m4: PyJWKClient accepts non-HTTP(S) URIs
- GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error
Upgraded idna to v3.15 to fix CVE-2026-45409 - specially crafted inputs to idna.encode() can lead to DoS - by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19235

Full Changelog: https://github.com/saleor/saleor/compare/3.21.58...3.21.59

Security Fixes

GHSA-xgmm-8j9v-c9wx: PyJWT now rejects JWK JSON as HMAC secret to prevent algorithm confusion.
GHSA-jq35-7prp-9v3f: PyJWT enforces allow‑list for algorithms, blocking bypass via PyJWK/PyJWKClient.
GHSA-w7vc-732c-9m39: PyJWT avoids DoS from base64 decode of unused payload segment when b64=false.
GHSA-993g-76c3-p5m4: PyJWKClient now rejects non‑HTTP(S) URIs to prevent URI scheme abuse.
GHSA-fhv5-28vv-h8m8: PyJWKClient no longer clears cache on fetch errors, preserving prior entries.
CVE-2026-45409 (idna v3.15): Fixes DoS caused by specially crafted inputs to idna.encode().

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Saleor

Get notified when new releases ship.

About Saleor

Django based open-sourced e-commerce storefront.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-45409 NVD KEV EPSS