Missing Authorization in Sylius - CVE-2026-31821
Published: April 27, 2026
Vulnerability identifier: #VU128216
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-31821
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sylius
Affected software:
Sylius
Sylius
Detailed vulnerability description
The vulnerability allows a remote attacker to modify another customer's cart and disclose sensitive information.
The vulnerability exists due to missing authorization in the API v2 add item endpoint when handling POST requests to /api/v2/shop/orders/{tokenValue}/items. A remote attacker can send a specially crafted request with a known cart tokenValue to modify another customer's cart and disclose sensitive information.
The endpoint response may include the full cart representation, including customer email address, cart contents, address data, payment and shipment IDs, order totals, tax breakdown, and checkout state.
How to mitigate CVE-2026-31821
Install security update from vendor's website.