Sylius is Missing Authorization in API v2 Add Item Endpoint
Description
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Sylius API v2 endpoint allows unauthenticated attackers to add items to any customer's cart if they know the cart token.
The POST /api/v2/shop/orders/{tokenValue}/items endpoint in Sylius API v2 lacks ownership verification. This allows an unauthenticated attacker to add items to any registered customer's cart by simply knowing the cart's tokenValue [1][2].
An attacker who obtains a cart tokenValue (e.g., via theft or leakage) can send a POST request with arbitrary product items. No authentication is required. The endpoint returns the full cart representation in the HTTP 201 response, potentially leaking sensitive data such as customer email, cart contents, addresses, payment and shipment IDs, order totals, and checkout state [2].
This flaw enables unauthorized addition of items to other customers' carts, leading to potential denial of service, data exposure, and manipulation of orders. The lack of ownership check on this mutation endpoint contrasts with other operations (PUT, PATCH, DELETE) which properly verify ownership via VisitorBasedExtension [2].
The issue is fixed in Sylius versions 2.0.16, 2.1.12, and 2.2.3 [1][2]. Users are advised to upgrade. A workaround is available by adding an ownership check in AddItemToCartHandler [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
sylius/syliusPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
sylius/syliusPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
2- Sylius/Syliusv5Range: >= 2.2.0, < 2.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wjmg-4cq5-m8hgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31821ghsaADVISORY
- github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.