{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31821", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T17:41:56.076Z", "datePublished": "2026-03-10T21:25:20.368Z", "dateUpdated": "2026-03-11T15:19:28.880Z"}, "containers": {"cna": {"title": "Sylius is Missing Authorization in API v2 Add Item Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg"}], "affected": [{"vendor": "Sylius", "product": "Sylius", "versions": [{"version": ">= 2.2.0, < 2.2.3", "status": "affected"}, {"version": ">= 2.1.0, < 2.1.12", "status": "affected"}, {"version": ">= 2.0.0, < 2.0.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T21:25:20.368Z"}, "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."}], "source": {"advisory": "GHSA-wjmg-4cq5-m8hg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31821", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:09:13.238186Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:19:28.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Sylius is Missing Authorization in API v2 Add Item Endpoint", "source": {"advisory": "GHSA-wjmg-4cq5-m8hg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Sylius", "product": "Sylius", "versions": [{"status": "affected", "version": ">= 2.2.0, < 2.2.3"}, {"status": "affected", "version": ">= 2.1.0, < 2.1.12"}, {"status": "affected", "version": ">= 2.0.0, < 2.0.16"}]}], "references": [{"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg", "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T21:25:20.368Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31821", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:09:13.238186Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T15:09:18.926Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-31821", "state": "PUBLISHED", "dateUpdated": "2026-03-10T21:25:20.368Z", "dateReserved": "2026-03-09T17:41:56.076Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T21:25:20.368Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA9449ED-A73A-4D16-A464-DBCBE24CA6A6", "versionEndExcluding": "2.0.16", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "F45888BF-720D-4B78-BA7D-ED7E5E091A8C", "versionEndExcluding": "2.1.12", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A2540B0-56B9-4B15-9876-BE908A80BB0A", "versionEndExcluding": "2.2.3", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."}, {"lang": "es", "value": "Sylius es un Framework de eCommerce de C\u00f3digo Abierto en Symfony. El endpoint POST /api/v2/shop/orders/{tokenValue}/items no verifica la propiedad del carrito. Un atacante no autenticado puede a\u00f1adir art\u00edculos a los carritos de otros clientes registrados conociendo el tokenValue del carrito. Un atacante que obtiene un tokenValue de carrito puede a\u00f1adir art\u00edculos arbitrarios al carrito de otro cliente. El endpoint devuelve la representaci\u00f3n completa del carrito en la respuesta (HTTP 201). El problema est\u00e1 solucionado en las versiones: 2.0.16, 2.1.12, 2.2.3 y superiores."}], "id": "CVE-2026-31821", "lastModified": "2026-03-11T19:33:33.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T22:16:19.653", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,2.2.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.1.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Sylius", "source": "cna", "vendor": "Sylius"}, "product": "sylius", "vendor": "sylius"}], "analysis": {"en": {"generated_at": "2026-04-16T09:24:42.736920+00:00", "value": {"mitigation_remediation": ["Upgrade Sylius to version\u202f2.0.16,\u202f2.1.12 or\u202f2.2.3 or later, which restores proper cart ownership checks.", "Require authentication for the /api/v2/shop/orders/{tokenValue}/items endpoint, ensuring only the rightful customer can modify the cart.", "Apply network or proxy restrictions so that only trusted IP addresses or internal clients can reach the cart\u2011modification endpoint."], "summary": {"action": "Patch", "impact": "Unauthorized Cart Modification"}, "threat_synthesis": {"affected_systems": "The open source Sylius eCommerce framework on Symfony is affected in all releases prior to the following patches: 2.0.16, 2.1.12, and 2.2.3. These versions include the necessary authorization check; all later releases are considered secure.", "description_and_impact": "The POST /api/v2/shop/orders/{tokenValue}/items endpoint in Sylius fails to verify that the cart belongs to the caller. This flaw allows an unauthenticated attacker who knows a valid cart tokenValue to add arbitrary items to an existing customer\u2019s shopping cart, effectively creating an unauthorized order. The vulnerability is an instance of improper authorization (CWE\u2011862) and can lead to financial loss or customer confusion if the altered cart is checked out.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1\u202f% shows that exploitation is expected to be rare. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires knowledge of a specific cart tokenValue, widespread attacks are limited, but once a token is obtained, the attacker can immediately add items to the cart by sending a simple HTTP POST request."}}}}, "created": "2026-03-11T11:39:22.912064+00:00", "updated": "2026-04-16T09:30:06.048870+00:00", "vendors": ["sylius", "sylius$PRODUCT$sylius"]}