Vulnerability-Lookup

CVE-2026-31821 (GCVE-0-2026-31821)

Vulnerability from cvelistv5 – Published: 2026-03-10 21:25 – Updated: 2026-03-11 15:19

Title

Sylius is Missing Authorization in API v2 Add Item Endpoint

Summary

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

https://github.com/Sylius/Sylius/security/advisor…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Sylius	Sylius	Affected: >= 2.2.0, < 2.2.3 Affected: >= 2.1.0, < 2.1.12 Affected: >= 2.0.0, < 2.0.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31821",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T15:09:13.238186Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T15:19:28.880Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sylius",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.1.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers\u0027 carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer\u0027s cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T21:25:20.368Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg"
        }
      ],
      "source": {
        "advisory": "GHSA-wjmg-4cq5-m8hg",
        "discovery": "UNKNOWN"
      },
      "title": "Sylius is Missing Authorization in API v2 Add Item Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31821",
    "datePublished": "2026-03-10T21:25:20.368Z",
    "dateReserved": "2026-03-09T17:41:56.076Z",
    "dateUpdated": "2026-03-11T15:19:28.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31821\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T22:16:19.653\",\"lastModified\":\"2026-03-11T19:33:33.797\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers\u0027 carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer\u0027s cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.\"},{\"lang\":\"es\",\"value\":\"Sylius es un Framework de eCommerce de C\u00f3digo Abierto en Symfony. El endpoint POST /api/v2/shop/orders/{tokenValue}/items no verifica la propiedad del carrito. Un atacante no autenticado puede a\u00f1adir art\u00edculos a los carritos de otros clientes registrados conociendo el tokenValue del carrito. Un atacante que obtiene un tokenValue de carrito puede a\u00f1adir art\u00edculos arbitrarios al carrito de otro cliente. El endpoint devuelve la representaci\u00f3n completa del carrito en la respuesta (HTTP 201). El problema est\u00e1 solucionado en las versiones: 2.0.16, 2.1.12, 2.2.3 y superiores.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.16\",\"matchCriteriaId\":\"DA9449ED-A73A-4D16-A464-DBCBE24CA6A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.1.12\",\"matchCriteriaId\":\"F45888BF-720D-4B78-BA7D-ED7E5E091A8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.2.3\",\"matchCriteriaId\":\"9A2540B0-56B9-4B15-9876-BE908A80BB0A\"}]}]}],\"references\":[{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Sylius is Missing Authorization in API v2 Add Item Endpoint\", \"source\": {\"advisory\": \"GHSA-wjmg-4cq5-m8hg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Sylius\", \"product\": \"Sylius\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.2.0, \u003c 2.2.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.1.0, \u003c 2.1.12\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.0.16\"}]}], \"references\": [{\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg\", \"name\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers\u0027 carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer\u0027s cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-10T21:25:20.368Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-31821\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T15:09:13.238186Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-11T15:09:18.926Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-31821\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T21:25:20.368Z\", \"dateReserved\": \"2026-03-09T17:41:56.076Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-10T21:25:20.368Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-WJMG-4CQ5-M8HG

Vulnerability from github – Published: 2026-03-11 00:12 – Updated: 2026-03-11 05:46

Summary

Sylius is Missing Authorization in API v2 Add Item Endpoint

Details

Impact

The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue.

POST /api/v2/shop/orders/{tokenValue}/items

Other mutation endpoints (PUT, PATCH, DELETE) are not affected. API Platform loads the Order entity through the state provider for these operations, which triggers VisitorBasedExtension and returns 404 for unauthorized users.

An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201), potentially leaking:

Customer email address
Cart contents (products, quantities, prices)
Address data (billing and shipping if set)
Payment and shipment IDs
Order totals and tax breakdown
Checkout state

Patches

The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3, and above.

Workarounds

Add an ownership check in AddItemToCartHandler by injecting UserContextInterface and verifying the current user matches the cart owner before adding items.

Step 1. Patch the handler

Create new src/CommandHandler/Cart/AddItemToCartHandler.php:

<?php

declare(strict_types=1);

namespace App\CommandHandler\Cart;

use Sylius\Bundle\ApiBundle\Command\Cart\AddItemToCart;
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
use Sylius\Component\Core\Factory\CartItemFactoryInterface;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\OrderItemInterface;
use Sylius\Component\Core\Model\ProductVariantInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Core\Repository\ProductVariantRepositoryInterface;
use Sylius\Component\Order\Modifier\OrderItemQuantityModifierInterface;
use Sylius\Component\Order\Modifier\OrderModifierInterface;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;

#[AsMessageHandler]
final readonly class AddItemToCartHandler
{
    public function __construct(
        private OrderRepositoryInterface $orderRepository,
        private ProductVariantRepositoryInterface $productVariantRepository,
        private OrderModifierInterface $orderModifier,
        private CartItemFactoryInterface $cartItemFactory,
        private OrderItemQuantityModifierInterface $orderItemQuantityModifier,
        private UserContextInterface $userContext,
    ) {
    }

    public function __invoke(AddItemToCart $addItemToCart): OrderInterface
    {
        /** @var ProductVariantInterface|null $productVariant */
        $productVariant = $this->productVariantRepository->findOneBy(['code' => $addItemToCart->productVariantCode]);

        if ($productVariant === null) {
            throw new \InvalidArgumentException('Product variant with given code has not been found.');
        }

        /** @var OrderInterface|null $cart */
        $cart = $this->orderRepository->findCartByTokenValue($addItemToCart->orderTokenValue);

        if ($cart === null) {
            throw new \InvalidArgumentException('Cart with given token has not been found.');
        }

        $this->assertCartAccessible($cart);

        /** @var OrderItemInterface $cartItem */
        $cartItem = $this->cartItemFactory->createNew();
        $cartItem->setVariant($productVariant);

        $this->orderItemQuantityModifier->modify($cartItem, $addItemToCart->quantity);
        $this->orderModifier->addToOrder($cart, $cartItem);

        return $cart;
    }

    private function assertCartAccessible(OrderInterface $cart): void
    {
        if ($cart->isCreatedByGuest()) {
            return;
        }

        $cartCustomer = $cart->getCustomer();

        if (null === $cartCustomer || null === $cartCustomer->getUser()) {
            return;
        }

        $currentUser = $this->userContext->getUser();

        if (
            $currentUser instanceof ShopUserInterface
            && $currentUser->getCustomer()?->getId() === $cartCustomer->getId()
        ) {
            return;
        }

        throw new NotFoundHttpException('Cart not found.');
    }
}

Step 2. Override the service

# config/services.yaml

services:
    App\:
        resource: '../src/*'
-       exclude: '../src/{Entity,Kernel.php}'                                                                         
+       exclude: '../src/{Entity,Kernel.php,CommandHandler}'

    sylius_api.command_handler.cart.add_item_to_cart:
        class: App\CommandHandler\Cart\AddItemToCartHandler
        arguments:
            $orderRepository: '@sylius.repository.order'
            $productVariantRepository: '@sylius.repository.product_variant'
            $orderModifier: '@sylius.modifier.order'
            $cartItemFactory: '@sylius.factory.order_item'
            $orderItemQuantityModifier: '@sylius.modifier.order_item_quantity'
            $userContext: '@Sylius\Bundle\ApiBundle\Context\UserContextInterface'
        tags:
            - { name: messenger.message_handler, bus: sylius.command_bus }

Step 3. Clear cache

bin/console cache:clear

Reporters

We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - @rokorolov

For more information

If you have any questions or comments about this advisory:

Open an issue in Sylius issues
Email us at security@sylius.com

Severity ?

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:12:54Z",
    "nvd_published_at": "2026-03-10T22:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe `POST /api/v2/shop/orders/{tokenValue}/items` endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers\u0027 carts by knowing the cart `tokenValue`.\n\n```\nPOST /api/v2/shop/orders/{tokenValue}/items\n```\n\nOther mutation endpoints (PUT, PATCH, DELETE) are **not affected**. API Platform loads the Order entity through the state provider for these operations, which triggers `VisitorBasedExtension` and returns 404 for unauthorized users.\n\nAn attacker who obtains a cart `tokenValue` can add arbitrary items to another customer\u0027s cart. The endpoint returns the full cart representation in the response (HTTP 201), potentially leaking:\n\n- Customer email address\n- Cart contents (products, quantities, prices)\n- Address data (billing and shipping if set)\n- Payment and shipment IDs\n- Order totals and tax breakdown\n- Checkout state\n\n### Patches\nThe issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3, and above.\n\n### Workarounds\nAdd an ownership check in `AddItemToCartHandler` by injecting `UserContextInterface` and verifying the current user matches the cart owner before adding items.\n\n#### Step 1. Patch the handler\n\nCreate new  `src/CommandHandler/Cart/AddItemToCartHandler.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\CommandHandler\\Cart;\n\nuse Sylius\\Bundle\\ApiBundle\\Command\\Cart\\AddItemToCart;\nuse Sylius\\Bundle\\ApiBundle\\Context\\UserContextInterface;\nuse Sylius\\Component\\Core\\Factory\\CartItemFactoryInterface;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Model\\OrderItemInterface;\nuse Sylius\\Component\\Core\\Model\\ProductVariantInterface;\nuse Sylius\\Component\\Core\\Model\\ShopUserInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Component\\Core\\Repository\\ProductVariantRepositoryInterface;\nuse Sylius\\Component\\Order\\Modifier\\OrderItemQuantityModifierInterface;\nuse Sylius\\Component\\Order\\Modifier\\OrderModifierInterface;\nuse Symfony\\Component\\HttpKernel\\Exception\\NotFoundHttpException;\nuse Symfony\\Component\\Messenger\\Attribute\\AsMessageHandler;\n\n#[AsMessageHandler]\nfinal readonly class AddItemToCartHandler\n{\n    public function __construct(\n        private OrderRepositoryInterface $orderRepository,\n        private ProductVariantRepositoryInterface $productVariantRepository,\n        private OrderModifierInterface $orderModifier,\n        private CartItemFactoryInterface $cartItemFactory,\n        private OrderItemQuantityModifierInterface $orderItemQuantityModifier,\n        private UserContextInterface $userContext,\n    ) {\n    }\n\n    public function __invoke(AddItemToCart $addItemToCart): OrderInterface\n    {\n        /** @var ProductVariantInterface|null $productVariant */\n        $productVariant = $this-\u003eproductVariantRepository-\u003efindOneBy([\u0027code\u0027 =\u003e $addItemToCart-\u003eproductVariantCode]);\n\n        if ($productVariant === null) {\n            throw new \\InvalidArgumentException(\u0027Product variant with given code has not been found.\u0027);\n        }\n\n        /** @var OrderInterface|null $cart */\n        $cart = $this-\u003eorderRepository-\u003efindCartByTokenValue($addItemToCart-\u003eorderTokenValue);\n\n        if ($cart === null) {\n            throw new \\InvalidArgumentException(\u0027Cart with given token has not been found.\u0027);\n        }\n\n        $this-\u003eassertCartAccessible($cart);\n\n        /** @var OrderItemInterface $cartItem */\n        $cartItem = $this-\u003ecartItemFactory-\u003ecreateNew();\n        $cartItem-\u003esetVariant($productVariant);\n\n        $this-\u003eorderItemQuantityModifier-\u003emodify($cartItem, $addItemToCart-\u003equantity);\n        $this-\u003eorderModifier-\u003eaddToOrder($cart, $cartItem);\n\n        return $cart;\n    }\n\n    private function assertCartAccessible(OrderInterface $cart): void\n    {\n        if ($cart-\u003eisCreatedByGuest()) {\n            return;\n        }\n\n        $cartCustomer = $cart-\u003egetCustomer();\n\n        if (null === $cartCustomer || null === $cartCustomer-\u003egetUser()) {\n            return;\n        }\n\n        $currentUser = $this-\u003euserContext-\u003egetUser();\n\n        if (\n            $currentUser instanceof ShopUserInterface\n            \u0026\u0026 $currentUser-\u003egetCustomer()?-\u003egetId() === $cartCustomer-\u003egetId()\n        ) {\n            return;\n        }\n\n        throw new NotFoundHttpException(\u0027Cart not found.\u0027);\n    }\n}\n```\n\n#### Step 2. Override the service\n\n```diff\n# config/services.yaml\n\nservices:\n    App\\:\n        resource: \u0027../src/*\u0027\n-       exclude: \u0027../src/{Entity,Kernel.php}\u0027                                                                         \n+       exclude: \u0027../src/{Entity,Kernel.php,CommandHandler}\u0027\n\n    sylius_api.command_handler.cart.add_item_to_cart:\n        class: App\\CommandHandler\\Cart\\AddItemToCartHandler\n        arguments:\n            $orderRepository: \u0027@sylius.repository.order\u0027\n            $productVariantRepository: \u0027@sylius.repository.product_variant\u0027\n            $orderModifier: \u0027@sylius.modifier.order\u0027\n            $cartItemFactory: \u0027@sylius.factory.order_item\u0027\n            $orderItemQuantityModifier: \u0027@sylius.modifier.order_item_quantity\u0027\n            $userContext: \u0027@Sylius\\Bundle\\ApiBundle\\Context\\UserContextInterface\u0027\n        tags:\n            - { name: messenger.message_handler, bus: sylius.command_bus }\n```\n\n#### Step 3. Clear cache\n\n```bash\nbin/console cache:clear\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- @rokorolov\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-wjmg-4cq5-m8hg",
  "modified": "2026-03-11T05:46:30Z",
  "published": "2026-03-11T00:12:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31821"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sylius is Missing Authorization in API v2 Add Item Endpoint"
}

FKIE_CVE-2026-31821

Vulnerability from fkie_nvd - Published: 2026-03-10 22:16 - Updated: 2026-03-11 19:33

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg	Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
sylius	sylius	*
sylius	sylius	*
sylius	sylius	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA9449ED-A73A-4D16-A464-DBCBE24CA6A6",
              "versionEndExcluding": "2.0.16",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F45888BF-720D-4B78-BA7D-ED7E5E091A8C",
              "versionEndExcluding": "2.1.12",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A2540B0-56B9-4B15-9876-BE908A80BB0A",
              "versionEndExcluding": "2.2.3",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers\u0027 carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer\u0027s cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."
    },
    {
      "lang": "es",
      "value": "Sylius es un Framework de eCommerce de C\u00f3digo Abierto en Symfony. El endpoint POST /api/v2/shop/orders/{tokenValue}/items no verifica la propiedad del carrito. Un atacante no autenticado puede a\u00f1adir art\u00edculos a los carritos de otros clientes registrados conociendo el tokenValue del carrito. Un atacante que obtiene un tokenValue de carrito puede a\u00f1adir art\u00edculos arbitrarios al carrito de otro cliente. El endpoint devuelve la representaci\u00f3n completa del carrito en la respuesta (HTTP 201). El problema est\u00e1 solucionado en las versiones: 2.0.16, 2.1.12, 2.2.3 y superiores."
    }
  ],
  "id": "CVE-2026-31821",
  "lastModified": "2026-03-11T19:33:33.797",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T22:16:19.653",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-31821 (GCVE-0-2026-31821)

GHSA-WJMG-4CQ5-M8HG

Impact

Patches

Workarounds

Step 1. Patch the handler

Step 2. Override the service

Step 3. Clear cache

Reporters

For more information

FKIE_CVE-2026-31821

Tags

Sightings

Nomenclature