Impact

When any user authenticates in the storefront, anonymous users are able to access their data.
The session is leaked through cache and can be accessed by anyone.

Patches

• https://github.com/saleor/storefront/commit/579241e75a5eb332ccf26e0bcdd54befa33f4783.patch

Workarounds

We strongly recommend upgrading to the latest versions, in case of inability to upgrade straight away, a possible workaround is to temporarily disable authentication by changing the usage of createSaleorAuthClient().

References

• 579241e
• saleor/saleor-docs#1120
• saleor/auth-sdk@56db134

Credit

@Jyrno42 (finder)