Description
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Published: 2026-03-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Cart Modification
Action: Patch
AI Analysis

Impact

The POST /api/v2/shop/orders/{tokenValue}/items endpoint in Sylius fails to verify that the cart belongs to the caller. This flaw allows an unauthenticated attacker who knows a valid cart tokenValue to add arbitrary items to an existing customer’s shopping cart, effectively creating an unauthorized order. The vulnerability is an instance of improper authorization (CWE‑862) and can lead to financial loss or customer confusion if the altered cart is checked out.

Affected Systems

The open source Sylius eCommerce framework on Symfony is affected in all releases prior to the following patches: 2.0.16, 2.1.12, and 2.2.3. These versions include the necessary authorization check; all later releases are considered secure.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1 % shows that exploitation is expected to be rare. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires knowledge of a specific cart tokenValue, widespread attacks are limited, but once a token is obtained, the attacker can immediately add items to the cart by sending a simple HTTP POST request.

Generated by OpenCVE AI on April 16, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sylius to version 2.0.16, 2.1.12 or 2.2.3 or later, which restores proper cart ownership checks.
  • Require authentication for the /api/v2/shop/orders/{tokenValue}/items endpoint, ensuring only the rightful customer can modify the cart.
  • Apply network or proxy restrictions so that only trusted IP addresses or internal clients can reach the cart‑modification endpoint.

Generated by OpenCVE AI on April 16, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wjmg-4cq5-m8hg Sylius is Missing Authorization in API v2 Add Item Endpoint
History

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sylius
Sylius sylius
Vendors & Products Sylius
Sylius sylius

Tue, 10 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Title Sylius is Missing Authorization in API v2 Add Item Endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sylius Sylius
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:19:28.880Z

Reserved: 2026-03-09T17:41:56.076Z

Link: CVE-2026-31821

cve-icon Vulnrichment

Updated: 2026-03-11T15:09:18.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:19.653

Modified: 2026-03-11T19:33:33.797

Link: CVE-2026-31821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses