Saleor

v3.23.8 Security

This release includes 7 security fixes for security teams reviewing exposed deployments.

Published 14h Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 7 known CVEs

Topics

cart checkout commerce composable e-commerce ecommerce

+12 more

graphql headless headless-commerce multichannel oms order-management payments pim python shop shopping-cart store

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 13h

The release bumps Django to v5.2.15 and urllib3 to v2.7.0, fixing multiple CVEs.

Why it matters: Django upgrades to v5.2.15 resolve five critical CVEs (2026-6873, 7666, 8404, 35193, 48587); urllib3 updates to v2.7.0 patch two high‑severity CVEs (2026-44432, 44431). Operators using these components should upgrade immediately.

Summary

AI summary

Updates What's Changed Bug fixes, CVE-2026-6873, and CVE-2026-7666 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Bumped Django to v5.2.15 fixing CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, CVE-2026-48587. Bumped Django to v5.2.15 fixing CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, CVE-2026-48587. Source: llm_adapter@2026-06-03 Confidence: high	—
Security	Critical	Bumped urllib3 to v2.7.0 fixing CVE-2026-44432 and CVE-2026-44431. Bumped urllib3 to v2.7.0 fixing CVE-2026-44432 and CVE-2026-44431. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix
Bugfix	Medium	Fixed TypeError when resolving default channel slug on product types. Fixed TypeError when resolving default channel slug on product types. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixed KeyError when resolving channel for channel‑agnostic account events. Fixed KeyError when resolving channel for channel‑agnostic account events. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Improved Sentry's PII scrubber. Improved Sentry's PII scrubber. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixed saving language code in customerUpdate mutation. Fixed saving language code in customerUpdate mutation. Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

What's Changed

Bug fixes:

Fixed TypeError when resolving default channel slug on product types (#19251) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19276
Fixed KeyError when resolving channel for channel-agnostic account events (#19253) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19265
Improved Sentry's PII scrubber by @wcislo-saleor in https://github.com/saleor/saleor/pull/19273
Fixed saving language code in customerUpdate mutation (#19254) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19261

Security fixes:

Bumped Django to v5.2.15 to fix the following (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19283):
- CVE-2026-6873: Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
- CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
- CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
- CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
- CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header
Learn more at https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
Bumped urllib3 to v2.7.0 to fix the following (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19283):
- CVE-2026-44432: Decompression-bomb safeguards bypassed in parts of the streaming API
- CVE-2026-44431: Sensitive headers forwarded across origins in proxied low-level redirects
Learn more at https://github.com/urllib3/urllib3/releases/tag/2.7.0

Full Changelog: https://github.com/saleor/saleor/compare/3.23.7...3.23.8

Security Fixes

CVE-2026-6873 — Signed cookie salt namespace collision in Django's `HttpRequest.get_signed_cookie`
CVE-2026-7666 — Potential unencrypted email transmission via STARTTLS in Saleor SMTP backend
CVE-2026-8404 — Private data exposure via case‑sensitive `Cache-Control` directives in UpdateCacheMiddleware
CVE-2026-35193 — Private data exposure due to missing `Vary: Authorization` header in UpdateCacheMiddleware
CVE-2026-48587 — Private data exposure caused by whitespace padding in the `Vary` header
dep:CVE-2026-44432 — Decompression‑bomb safeguards bypassed in urllib3 streaming API
dep:CVE-2026-44431 — Sensitive headers forwarded across origins in proxied low‑level redirects (urllib3)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Saleor

Get notified when new releases ship.

About Saleor

Django based open-sourced e-commerce storefront.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-35193 NVD KEV EPSS
CVE-2026-44431 NVD KEV EPSS
CVE-2026-44432 NVD KEV EPSS
CVE-2026-48587 NVD KEV EPSS
CVE-2026-6873 NVD KEV EPSS
CVE-2026-7666 NVD KEV EPSS
CVE-2026-8404 NVD KEV EPSS