Saleor

v3.23.7 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 12d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

cart checkout commerce composable e-commerce ecommerce

+12 more

graphql headless headless-commerce multichannel oms order-management payments pim python shop shopping-cart store

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 12d

ReleasePort Layer 1 version 3.23.7 upgrades pyjwt to 2.13.0 and idna to 3.15, fixing multiple security vulnerabilities.

Why it matters: Upgrading to pyjwt 2.13.0 resolves algorithm confusion, allow‑list bypass, DoS, non‑HTTP(S) URI acceptance, and cache wipe flaws; upgrading idna to 3.15 fixes CVE‑2026‑45409 DoS.

Summary

AI summary

Updates GHSA-xgmm-8j9v-c9wx, GHSA-jq35-7prp-9v3f, and GHSA-w7vc-732c-9m39 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Fixes GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret causing algorithm confusion. Fixes GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret causing algorithm confusion. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	High	Fixes GHSA-w7vc-732c-9m39: Denial-of-service via base64 decode of unused payload segment when b64=false. Fixes GHSA-w7vc-732c-9m39: Denial-of-service via base64 decode of unused payload segment when b64=false. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	High	Fixes GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error. Fixes GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	High	Upgrades idna to v3.15, fixing CVE-2026-45409 which can cause denial‑of‑service via specially crafted inputs to idna.encode(). Upgrades idna to v3.15, fixing CVE-2026-45409 which can cause denial‑of‑service via specially crafted inputs to idna.encode(). Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	Medium	Upgraded pyjwt to v2.13.0 fixes algorithm confusion vulnerability GHSA-xgmm-8j9v-c9wx. Upgraded pyjwt to v2.13.0 fixes algorithm confusion vulnerability GHSA-xgmm-8j9v-c9wx. Source: llm_adapter@2026-05-22 Confidence: low	—
Security	Medium	Upgraded pyjwt to v2.13.0 fixes DoS vulnerability GHSA-w7vc-732c-9m39. Upgraded pyjwt to v2.13.0 fixes DoS vulnerability GHSA-w7vc-732c-9m39. Source: llm_adapter@2026-05-22 Confidence: low	—
Security	Medium	Upgraded pyjwt to v2.13.0 fixes cache wipe vulnerability GHSA-fhv5-28vv-h8m8. Upgraded pyjwt to v2.13.0 fixes cache wipe vulnerability GHSA-fhv5-28vv-h8m8. Source: llm_adapter@2026-05-22 Confidence: low	—
Security	Medium	Upgraded idna to v3.15 fixes CVE-2026-45409 causing DoS. Upgraded idna to v3.15 fixes CVE-2026-45409 causing DoS. Source: llm_adapter@2026-05-22 Confidence: low	—
Security	Medium	Upgraded pyjwt to v2.13.0 fixes algorithm allow-list bypass vulnerability GHSA-jq35-7prp-9v3f. Upgraded pyjwt to v2.13.0 fixes algorithm allow-list bypass vulnerability GHSA-jq35-7prp-9v3f. Source: llm_adapter@2026-05-22 Confidence: low	—
Security	Medium	Upgraded pyjwt to v2.13.0 fixes non-HTTP(S) URI acceptance vulnerability GHSA-993g-76c3-p5m4. Upgraded pyjwt to v2.13.0 fixes non-HTTP(S) URI acceptance vulnerability GHSA-993g-76c3-p5m4. Source: llm_adapter@2026-05-22 Confidence: low	—

Full changelog

What's Changed

Upgraded pyjwt to v2.13.0 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19233 - fixes:
- GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret (algorithm confusion)
- GHSA-jq35-7prp-9v3f: Algorithm allow-list bypass with PyJWK / PyJWKClient
- GHSA-w7vc-732c-9m39: DoS via base64 decode of unused payload segment when b64=false
- GHSA-993g-76c3-p5m4: PyJWKClient accepts non-HTTP(S) URIs
- GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error
Upgraded idna to v3.15 to fix CVE-2026-45409 - specially crafted inputs to idna.encode() can lead to DoS - by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19233

Full Changelog: https://github.com/saleor/saleor/compare/3.23.6...3.23.7

Security Fixes

GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret causing algorithm confusion
GHSA-jq35-7prp-9v3f: Algorithm allow-list bypass with PyJWK / PyJWKClient
GHSA-w7vc-732c-9m39: DoS via base64 decode of unused payload segment when b64=false
GHSA-993g-76c3-p5m4: PyJWKClient accepts non-HTTP(S) URIs
CVE-2026-45409 (idna v3.15): Specially crafted inputs to idna.encode() can lead to DoS

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Saleor

Get notified when new releases ship.

About Saleor

Django based open-sourced e-commerce storefront.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-45409 NVD KEV EPSS