GHSA-WJMG-4CQ5-M8HG

Vulnerability from github – Published: 2026-03-11 00:12 – Updated: 2026-03-11 05:46
VLAI?
Summary
Sylius is Missing Authorization in API v2 Add Item Endpoint
Details

Impact

The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue.

POST /api/v2/shop/orders/{tokenValue}/items

Other mutation endpoints (PUT, PATCH, DELETE) are not affected. API Platform loads the Order entity through the state provider for these operations, which triggers VisitorBasedExtension and returns 404 for unauthorized users.

An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201), potentially leaking:

  • Customer email address
  • Cart contents (products, quantities, prices)
  • Address data (billing and shipping if set)
  • Payment and shipment IDs
  • Order totals and tax breakdown
  • Checkout state

Patches

The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3, and above.

Workarounds

Add an ownership check in AddItemToCartHandler by injecting UserContextInterface and verifying the current user matches the cart owner before adding items.

Step 1. Patch the handler

Create new src/CommandHandler/Cart/AddItemToCartHandler.php:

<?php

declare(strict_types=1);

namespace App\CommandHandler\Cart;

use Sylius\Bundle\ApiBundle\Command\Cart\AddItemToCart;
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
use Sylius\Component\Core\Factory\CartItemFactoryInterface;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\OrderItemInterface;
use Sylius\Component\Core\Model\ProductVariantInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Core\Repository\ProductVariantRepositoryInterface;
use Sylius\Component\Order\Modifier\OrderItemQuantityModifierInterface;
use Sylius\Component\Order\Modifier\OrderModifierInterface;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;

#[AsMessageHandler]
final readonly class AddItemToCartHandler
{
    public function __construct(
        private OrderRepositoryInterface $orderRepository,
        private ProductVariantRepositoryInterface $productVariantRepository,
        private OrderModifierInterface $orderModifier,
        private CartItemFactoryInterface $cartItemFactory,
        private OrderItemQuantityModifierInterface $orderItemQuantityModifier,
        private UserContextInterface $userContext,
    ) {
    }

    public function __invoke(AddItemToCart $addItemToCart): OrderInterface
    {
        /** @var ProductVariantInterface|null $productVariant */
        $productVariant = $this->productVariantRepository->findOneBy(['code' => $addItemToCart->productVariantCode]);

        if ($productVariant === null) {
            throw new \InvalidArgumentException('Product variant with given code has not been found.');
        }

        /** @var OrderInterface|null $cart */
        $cart = $this->orderRepository->findCartByTokenValue($addItemToCart->orderTokenValue);

        if ($cart === null) {
            throw new \InvalidArgumentException('Cart with given token has not been found.');
        }

        $this->assertCartAccessible($cart);

        /** @var OrderItemInterface $cartItem */
        $cartItem = $this->cartItemFactory->createNew();
        $cartItem->setVariant($productVariant);

        $this->orderItemQuantityModifier->modify($cartItem, $addItemToCart->quantity);
        $this->orderModifier->addToOrder($cart, $cartItem);

        return $cart;
    }

    private function assertCartAccessible(OrderInterface $cart): void
    {
        if ($cart->isCreatedByGuest()) {
            return;
        }

        $cartCustomer = $cart->getCustomer();

        if (null === $cartCustomer || null === $cartCustomer->getUser()) {
            return;
        }

        $currentUser = $this->userContext->getUser();

        if (
            $currentUser instanceof ShopUserInterface
            && $currentUser->getCustomer()?->getId() === $cartCustomer->getId()
        ) {
            return;
        }

        throw new NotFoundHttpException('Cart not found.');
    }
}

Step 2. Override the service

# config/services.yaml

services:
    App\:
        resource: '../src/*'
-       exclude: '../src/{Entity,Kernel.php}'                                                                         
+       exclude: '../src/{Entity,Kernel.php,CommandHandler}'

    sylius_api.command_handler.cart.add_item_to_cart:
        class: App\CommandHandler\Cart\AddItemToCartHandler
        arguments:
            $orderRepository: '@sylius.repository.order'
            $productVariantRepository: '@sylius.repository.product_variant'
            $orderModifier: '@sylius.modifier.order'
            $cartItemFactory: '@sylius.factory.order_item'
            $orderItemQuantityModifier: '@sylius.modifier.order_item_quantity'
            $userContext: '@Sylius\Bundle\ApiBundle\Context\UserContextInterface'
        tags:
            - { name: messenger.message_handler, bus: sylius.command_bus }

Step 3. Clear cache

bin/console cache:clear

Reporters

We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - @rokorolov

For more information

If you have any questions or comments about this advisory:

Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:12:54Z",
    "nvd_published_at": "2026-03-10T22:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe `POST /api/v2/shop/orders/{tokenValue}/items` endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers\u0027 carts by knowing the cart `tokenValue`.\n\n```\nPOST /api/v2/shop/orders/{tokenValue}/items\n```\n\nOther mutation endpoints (PUT, PATCH, DELETE) are **not affected**. API Platform loads the Order entity through the state provider for these operations, which triggers `VisitorBasedExtension` and returns 404 for unauthorized users.\n\nAn attacker who obtains a cart `tokenValue` can add arbitrary items to another customer\u0027s cart. The endpoint returns the full cart representation in the response (HTTP 201), potentially leaking:\n\n- Customer email address\n- Cart contents (products, quantities, prices)\n- Address data (billing and shipping if set)\n- Payment and shipment IDs\n- Order totals and tax breakdown\n- Checkout state\n\n### Patches\nThe issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3, and above.\n\n### Workarounds\nAdd an ownership check in `AddItemToCartHandler` by injecting `UserContextInterface` and verifying the current user matches the cart owner before adding items.\n\n#### Step 1. Patch the handler\n\nCreate new  `src/CommandHandler/Cart/AddItemToCartHandler.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\CommandHandler\\Cart;\n\nuse Sylius\\Bundle\\ApiBundle\\Command\\Cart\\AddItemToCart;\nuse Sylius\\Bundle\\ApiBundle\\Context\\UserContextInterface;\nuse Sylius\\Component\\Core\\Factory\\CartItemFactoryInterface;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Model\\OrderItemInterface;\nuse Sylius\\Component\\Core\\Model\\ProductVariantInterface;\nuse Sylius\\Component\\Core\\Model\\ShopUserInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Component\\Core\\Repository\\ProductVariantRepositoryInterface;\nuse Sylius\\Component\\Order\\Modifier\\OrderItemQuantityModifierInterface;\nuse Sylius\\Component\\Order\\Modifier\\OrderModifierInterface;\nuse Symfony\\Component\\HttpKernel\\Exception\\NotFoundHttpException;\nuse Symfony\\Component\\Messenger\\Attribute\\AsMessageHandler;\n\n#[AsMessageHandler]\nfinal readonly class AddItemToCartHandler\n{\n    public function __construct(\n        private OrderRepositoryInterface $orderRepository,\n        private ProductVariantRepositoryInterface $productVariantRepository,\n        private OrderModifierInterface $orderModifier,\n        private CartItemFactoryInterface $cartItemFactory,\n        private OrderItemQuantityModifierInterface $orderItemQuantityModifier,\n        private UserContextInterface $userContext,\n    ) {\n    }\n\n    public function __invoke(AddItemToCart $addItemToCart): OrderInterface\n    {\n        /** @var ProductVariantInterface|null $productVariant */\n        $productVariant = $this-\u003eproductVariantRepository-\u003efindOneBy([\u0027code\u0027 =\u003e $addItemToCart-\u003eproductVariantCode]);\n\n        if ($productVariant === null) {\n            throw new \\InvalidArgumentException(\u0027Product variant with given code has not been found.\u0027);\n        }\n\n        /** @var OrderInterface|null $cart */\n        $cart = $this-\u003eorderRepository-\u003efindCartByTokenValue($addItemToCart-\u003eorderTokenValue);\n\n        if ($cart === null) {\n            throw new \\InvalidArgumentException(\u0027Cart with given token has not been found.\u0027);\n        }\n\n        $this-\u003eassertCartAccessible($cart);\n\n        /** @var OrderItemInterface $cartItem */\n        $cartItem = $this-\u003ecartItemFactory-\u003ecreateNew();\n        $cartItem-\u003esetVariant($productVariant);\n\n        $this-\u003eorderItemQuantityModifier-\u003emodify($cartItem, $addItemToCart-\u003equantity);\n        $this-\u003eorderModifier-\u003eaddToOrder($cart, $cartItem);\n\n        return $cart;\n    }\n\n    private function assertCartAccessible(OrderInterface $cart): void\n    {\n        if ($cart-\u003eisCreatedByGuest()) {\n            return;\n        }\n\n        $cartCustomer = $cart-\u003egetCustomer();\n\n        if (null === $cartCustomer || null === $cartCustomer-\u003egetUser()) {\n            return;\n        }\n\n        $currentUser = $this-\u003euserContext-\u003egetUser();\n\n        if (\n            $currentUser instanceof ShopUserInterface\n            \u0026\u0026 $currentUser-\u003egetCustomer()?-\u003egetId() === $cartCustomer-\u003egetId()\n        ) {\n            return;\n        }\n\n        throw new NotFoundHttpException(\u0027Cart not found.\u0027);\n    }\n}\n```\n\n#### Step 2. Override the service\n\n```diff\n# config/services.yaml\n\nservices:\n    App\\:\n        resource: \u0027../src/*\u0027\n-       exclude: \u0027../src/{Entity,Kernel.php}\u0027                                                                         \n+       exclude: \u0027../src/{Entity,Kernel.php,CommandHandler}\u0027\n\n    sylius_api.command_handler.cart.add_item_to_cart:\n        class: App\\CommandHandler\\Cart\\AddItemToCartHandler\n        arguments:\n            $orderRepository: \u0027@sylius.repository.order\u0027\n            $productVariantRepository: \u0027@sylius.repository.product_variant\u0027\n            $orderModifier: \u0027@sylius.modifier.order\u0027\n            $cartItemFactory: \u0027@sylius.factory.order_item\u0027\n            $orderItemQuantityModifier: \u0027@sylius.modifier.order_item_quantity\u0027\n            $userContext: \u0027@Sylius\\Bundle\\ApiBundle\\Context\\UserContextInterface\u0027\n        tags:\n            - { name: messenger.message_handler, bus: sylius.command_bus }\n```\n\n#### Step 3. Clear cache\n\n```bash\nbin/console cache:clear\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- @rokorolov\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-wjmg-4cq5-m8hg",
  "modified": "2026-03-11T05:46:30Z",
  "published": "2026-03-11T00:12:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31821"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sylius is Missing Authorization in API v2 Add Item Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.