Moderate severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026
Sylius is Missing Authorization in API v2 Add Item Endpoint
CVE-2026-31821
Description
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
sylius/syliusPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
sylius/syliusPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-wjmg-4cq5-m8hgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31821ghsaADVISORY
- github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.