PT-2026-57039 · Packagist · Sylius/Sylius
Publicado
2026-07-09
·
Atualizado
2026-07-09
·
CVE-2026-53638
CVSS v3.1
4.3
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Impact
An authorization bypass vulnerability exists in the shop account API. The
PATCH /api/v2/shop/account/orders/{tokenValue}/payments/{paymentId} endpoint, used by an authenticated shop customer to change the payment method of an order that has been placed but not yet paid (state STATE NEW), does not validate that the chosen payment method is enabled for the order's channel. The equivalent checkout endpoint (PATCH /api/v2/shop/orders/{tokenValue}/payments/{paymentId}) correctly rejects out-of-channel payment methods with HTTP 422; the account endpoint silently accepts them and returns HTTP 200.An authenticated customer can therefore assign any globally enabled payment method to their own placed order, including methods that the store operator has explicitly excluded from that channel.
Patches
The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6 and above.
Workarounds
If users cannot bump Sylius right now, decorate the
SyliusBundleApiBundleChangerPaymentMethodChangerInterface service in their applications.Step 1. Create the decorator
src/Decorator/ChannelCheckingPaymentMethodChanger.php:php
<?php
declare(strict types=1);
namespace AppDecorator;
use ApiPlatformValidatorExceptionValidationException;
use SyliusBundleApiBundleChangerPaymentMethodChangerInterface;
use SyliusComponentCoreModelOrderInterface;
use SyliusComponentCoreModelPaymentMethodInterface;
use SyliusComponentCoreRepositoryPaymentMethodRepositoryInterface;
use SyliusComponentCoreRepositoryPaymentRepositoryInterface;
use SyliusComponentPaymentResolverPaymentMethodsResolverInterface;
use SymfonyComponentValidatorConstraintViolation;
use SymfonyComponentValidatorConstraintViolationList;
use SymfonyContractsTranslationTranslatorInterface;
final readonly class ChannelCheckingPaymentMethodChanger implements PaymentMethodChangerInterface
{
public function construct(
private PaymentMethodChangerInterface $decorated,
private PaymentRepositoryInterface $paymentRepository,
private PaymentMethodRepositoryInterface $paymentMethodRepository,
private PaymentMethodsResolverInterface $paymentMethodsResolver,
private TranslatorInterface $translator,
) {
}
public function changePaymentMethod(string $paymentMethodCode, mixed $paymentId, OrderInterface $order): OrderInterface
{
/** @var PaymentMethodInterface|null $paymentMethod */
$paymentMethod = $this->paymentMethodRepository->findOneBy(['code' => $paymentMethodCode]);
$payment = $this->paymentRepository->findOneByOrderId($paymentId, $order->getId());
if (
$paymentMethod !== null
&& $payment !== null
&& !in array($paymentMethod, $this->paymentMethodsResolver->getSupportedMethods($payment), true)
) {
$template = 'sylius.payment method.not available';
$parameters = ['%name%' => (string) $paymentMethod->getName()];
throw new ValidationException(new ConstraintViolationList([
new ConstraintViolation(
message: $this->translator->trans($template, $parameters, 'validators'),
messageTemplate: $template,
parameters: $parameters,
root: $paymentMethodCode,
propertyPath: '',
invalidValue: $paymentMethodCode,
),
]));
}
return $this->decorated->changePaymentMethod($paymentMethodCode, $paymentId, $order);
}
}Step 2. Register the decorator
config/services.yaml (append to the application's existing services: block):yaml
services:
AppDecoratorChannelCheckingPaymentMethodChanger:
decorates: sylius api.changer.payment method
arguments:
- '@.inner'
- '@sylius.repository.payment'
- '@sylius.repository.payment method'
- '@sylius.resolver.payment methods'
- '@translator'@.inner references the original PaymentMethodChangerInterface implementation, so any future Sylius change to the changer keeps working through the decorator.Step 3. Clear the cache
bash
bin/console cache:clearReporters
We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:
- Fredrik Dietrichson (@FredrikEV)
For more information
If there are any questions or comments about this advisory:
- Open an issue in Sylius issues
- Send an email to security@sylius.com
Correção
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Sylius/Sylius