Auth bypass in Sylius

CVE-2026-31821

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the…

Vulnerability class: Broken Access Control

EPSS: 0.001 (29.4th percentile) — read the EPSS interpretation.

Affected products

Sylius — versions >= 2.2.0, < 2.2.3, >= 2.1.0, < 2.1.12, >= 2.0.0, < 2.0.16

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg (x_refsource_CONFIRM)