CVE-2026-31821
Received Received - Intake
Unauthorized Cart Modification in Sylius via Insecure API Endpoint

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31821
EUVD
EUVD-2026-10914
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
sylius sylius From 2.0.0 (inc) to 2.0.16 (exc)
sylius sylius From 2.1.0 (inc) to 2.1.12 (exc)
sylius sylius From 2.2.0 (inc) to 2.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Sylius Open Source eCommerce Framework on Symfony, specifically in the POST /api/v2/shop/orders/{tokenValue}/items endpoint.

The endpoint does not verify cart ownership, which means an unauthenticated attacker who knows a cart's tokenValue can add items to that cart.

In other words, if an attacker obtains the tokenValue of another customer's cart, they can add arbitrary items to that customer's cart without authentication.

Additionally, the endpoint returns the full cart representation in the response, which could expose further information.

This issue has been fixed in Sylius versions 2.0.16, 2.1.12, 2.2.3 and above.

Impact Analysis

This vulnerability can impact you by allowing an attacker to manipulate your shopping cart without your consent.

An attacker could add unwanted or arbitrary items to your cart, potentially causing confusion, incorrect orders, or financial implications if the order is processed.

Since the attacker does not need to be authenticated, this could affect any customer whose cart tokenValue is known or guessed.

Furthermore, the exposure of the full cart representation in the response could leak sensitive information about your cart contents.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Sylius to version 2.0.16, 2.1.12, 2.2.3 or above, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31821. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart