Sylius affected by IDOR in Cart and Checkout LiveComponents
Description
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated IDOR in Sylius LiveComponents allows attackers to access other users' addresses and order data via unvalidated #[LiveArg] parameters.
Vulnerability
Overview
An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple Sylius shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled. Any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. The affected components are the Checkout address FormComponent (addressFieldUpdated action), Cart WidgetComponent (refreshCart action), and Cart SummaryComponent (refreshCart action) [1][2].
Exploitation
An authenticated attacker can manipulate the addressId or cartId parameters to load arbitrary addresses or orders from the repository. Since the sylius_order table contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts [1].
Impact
Successful exploitation exposes another user's personal data (first name, last name, company, phone number, street, city, postcode, country) from the address component, and order financial details (order total, item count, subtotal, discount, shipping cost, taxes, and order total) from the cart components [1][2].
Mitigation
The issue is fixed in Sylius versions 2.0.16, 2.1.12, and 2.2.3 and above. As a workaround, administrators can override the vulnerable LiveComponent classes at the project level to add authorization checks to #[LiveArg] parameters [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
sylius/syliusPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
sylius/syliusPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
2- Sylius/Syliusv5Range: >= 2.2.0, < 2.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2xc6-348p-c2x6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31820ghsaADVISORY
- github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.