Auth bypass in Sylius

CVE-2026-31820

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unli…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (5.9th percentile) — read the EPSS interpretation.

Affected products

Sylius — versions >= 2.2.0, < 2.2.3, >= 2.1.0, < 2.1.12, >= 2.0.0, < 2.0.16

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6 (x_refsource_CONFIRM)