Saleor E-commerce Platform Addresses Email Disclosure Vulnerability

A medium-severity information disclosure flaw, CVE-2026-39851, was discovered in the Saleor e-commerce platform. This vulnerability could expose user email addresses through specific error messages during email change requests. Several versions were affected, but patches have since been released to resolve the issue.

Context

Saleor is an open-source e-commerce platform that allows businesses to create online stores. The vulnerability, identified as CVE-2026-39851, was categorized as medium severity and affected several versions of the platform. It specifically allowed email addresses to be exposed through error messages during email change requests.

Why it matters

The disclosure of user email addresses can lead to privacy breaches and potential phishing attacks. Protecting user information is crucial for maintaining trust in e-commerce platforms. Addressing vulnerabilities promptly helps safeguard customer data and reinforces the platform's security measures.

Implications

If exploited, this vulnerability could lead to increased phishing attempts targeting affected users. Businesses using Saleor may face reputational damage if customer data is compromised. Ongoing vigilance and updates will be necessary to prevent future vulnerabilities and maintain user confidence.

What to watch

Users of the Saleor platform should ensure they have updated to the latest patched version to mitigate this vulnerability. Monitoring for any reports of phishing attempts related to this issue will be important. The response from the Saleor development team and user feedback on the effectiveness of the patches will also be key indicators.