CVE-2026-31821 PUBLISHED

Sylius is Missing Authorization in API v2 Add Item Endpoint

Assigner: GitHub_M
Reserved: 09.03.2026 Published: 10.03.2026 Updated: 11.03.2026

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Sylius
Product	Sylius
Versions	Version >= 2.2.0, < 2.2.3 is affected Version >= 2.1.0, < 2.1.12 is affected Version >= 2.0.0, < 2.0.16 is affected

References

https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg

Problem Types

CWE-862: Missing Authorization CWE