CVE-2026-31820
Received Received - Intake
IDOR in Sylius LiveComponents Exposes Sensitive Order Data

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31820
EUVD
EUVD-2026-10912
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
sylius sylius From 2.0.0 (inc) to 2.0.16 (exc)
sylius sylius From 2.1.0 (inc) to 2.1.12 (exc)
sylius sylius From 2.2.0 (inc) to 2.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an authenticated Insecure Direct Object Reference (IDOR) in the Sylius eCommerce Framework. It occurs because certain LiveComponents accept resource IDs via #[LiveArg] parameters without validating ownership. Unlike props, which are protected, these args are fully user-controlled. This means an attacker with authentication can supply arbitrary resource IDs to access data they should not have access to.

Specifically, the vulnerability affects components like the Checkout address FormComponent, Cart WidgetComponent, and Cart SummaryComponent. For example, the addressFormComponent loads an address by ID without verifying if the user owns it, exposing personal details such as first name, last name, company, phone number, and address information. Similarly, the cart components expose order totals, item counts, discounts, shipping costs, taxes, and more from any order or cart in the system.

The root cause is that the system loads resources by ID without checking if the authenticated user is authorized to access those resources.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive personal and order information. An authenticated attacker can access other users' personal details such as names, company, phone numbers, and full address information.

Additionally, attackers can view order details including totals, item counts, discounts, shipping costs, and taxes for any cart or completed order in the system. This exposure can lead to privacy violations, potential fraud, and loss of customer trust.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Sylius versions 2.0.16, 2.1.12, 2.2.3 and above.

To mitigate this vulnerability, you should upgrade your Sylius installation to one of these fixed versions or later.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart