Saleor

v3.21.60 Security

This release includes 7 security fixes for security teams reviewing exposed deployments.

Published 14h Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 7 known CVEs

Topics

cart checkout commerce composable e-commerce ecommerce

+12 more

graphql headless headless-commerce multichannel oms order-management payments pim python shop shopping-cart store

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 13h

The release upgrades Django to v5.2.15 and urllib3 to v2.7.0, addressing multiple critical CVEs.

Why it matters: Patches five high‑severity CVEs (CVE-2026-6873, 7666, 8404, 35193, 48587) in Django and two in urllib3; upgrading is required to eliminate known vulnerabilities.

Summary

AI summary

Updates What's Changed Bug fixes, CVE-2026-6873, and CVE-2026-7666 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Bumped Django to v5.2.15 fixing CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, CVE-2026-48587. Bumped Django to v5.2.15 fixing CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, CVE-2026-48587. Source: llm_adapter@2026-06-03 Confidence: high	—
Security	Critical	Bumped urllib3 to v2.7.0 fixing CVE-2026-44432 and CVE-2026-44431. Bumped urllib3 to v2.7.0 fixing CVE-2026-44432 and CVE-2026-44431. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix
Bugfix	Medium	Fixed KeyError when resolving channel for channel‑agnostic account events. Fixed KeyError when resolving channel for channel‑agnostic account events. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixed TypeError when resolving default channel slug on product types. Fixed TypeError when resolving default channel slug on product types. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Improved Sentry's PII scrubber. Improved Sentry's PII scrubber. Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

What's Changed

Bug fixes:

Fixed KeyError when resolving channel for channel-agnostic account events (#19253) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19267
Fixed TypeError when resolving default channel slug on product types (#19251) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19278
Improved Sentry's PII scrubber by @wcislo-saleor in https://github.com/saleor/saleor/pull/19275

Security fixes:

Bumped Django to v5.2.15 to fix the following (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19285):
- CVE-2026-6873: Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
- CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
- CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
- CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
- CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header
Learn more at https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
Bumped urllib3 to v2.7.0 to fix the following (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19285):
- CVE-2026-44432: Decompression-bomb safeguards bypassed in parts of the streaming API
- CVE-2026-44431: Sensitive headers forwarded across origins in proxied low-level redirects
Learn more at https://github.com/urllib3/urllib3/releases/tag/2.7.0

Full Changelog: https://github.com/saleor/saleor/compare/3.21.59...3.21.60

Security Fixes

CVE-2026-6873 — Signed cookie salt namespace collision in `django.http.HttpRequest.get_signed_cookie`
CVE-2026-7666 — Potential unencrypted email transmission via STARTTLS in the SMTP backend
CVE-2026-8404 — Potential exposure of private data via case‑sensitive `Cache-Control` directives in `UpdateCacheMiddleware`
CVE-2026-35193 — Potential exposure of private data due to missing `Vary: Authorization` in `UpdateCacheMiddleware`
CVE-2026-48587 — Potential exposure of private data via whitespace padding in the `Vary` header
dep: CVE-2026-44432 — Decompression‑bomb safeguards bypassed in urllib3 streaming API
dep: CVE-2026-44431 — Sensitive headers forwarded across origins in proxied low‑level redirects

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Saleor

Get notified when new releases ship.

About Saleor

Django based open-sourced e-commerce storefront.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-35193 NVD KEV EPSS
CVE-2026-44431 NVD KEV EPSS
CVE-2026-44432 NVD KEV EPSS
CVE-2026-48587 NVD KEV EPSS
CVE-2026-6873 NVD KEV EPSS
CVE-2026-7666 NVD KEV EPSS
CVE-2026-8404 NVD KEV EPSS