Description
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Published: 2026-03-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive customer data disclosure
Action: Patch
AI Analysis

Impact

This vulnerability is an Insecure Direct Object Reference within Sylius's LiveComponent mapping. Authenticated users can supply arbitrary resource identifiers through #[LiveArg] parameters. The framework then loads the corresponding entity with ->find() without checking that the resource belongs to the requesting user. As a result, a malicious user can discover personal information—including first name, last name, company, phone number, street, city, postcode, and country—from other customers’ addresses, and can also read order totals, item counts, discounts, shipping costs, and tax details for any cart or completed order. The flaw originates from the lack of ownership validation for resource IDs, a classic CWE‑639 scenario.

Affected Systems

The affected product is the Sylius eCommerce framework. Versions prior to 2.0.16, 2.1.12, and 2.2.3 are impacted. The bug resides in multiple LiveComponents such as Checkout address FormComponent, Cart widget, and Cart summary. All installations using a vulnerable Sylius release and enabling those components should treat this flaw as high risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1% suggests that exploitation in the wild is currently unlikely; the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the weakness can be exploited by any authenticated user who can control LiveComponent arguments—most likely through the UI—by supplying arbitrary record identifiers. The attacker does not need elevated privileges; merely accessing the site with a user account suffices.

Generated by OpenCVE AI on April 16, 2026 at 03:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sylius to at least version 2.0.16, 2.1.12, or 2.2.3 (the latest patch level) to apply the IDOR fix.
  • If an upgrade is not yet possible, restrict the use of the affected LiveComponents (or the LiveArg interface) to trusted accounts only, or remove the LiveArg‑based endpoints from public access.
  • Ensure that any future code changes introducing LiveComponent arguments perform explicit ownership validation before loading an entity from the repository.

Generated by OpenCVE AI on April 16, 2026 at 03:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2xc6-348p-c2x6 Sylius affected by IDOR in Cart and Checkout LiveComponents
History

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sylius
Sylius sylius
Vendors & Products Sylius
Sylius sylius

Tue, 10 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Title Sylius affected by IDOR in Cart and Checkout LiveComponents
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sylius Sylius
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:59:53.833Z

Reserved: 2026-03-09T17:41:56.076Z

Link: CVE-2026-31820

cve-icon Vulnrichment

Updated: 2026-03-11T15:52:02.588Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:19.493

Modified: 2026-03-11T19:34:28.173

Link: CVE-2026-31820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses