PT-2026-57039 · Packagist · Sylius/Sylius

Publicado

2026-07-09

·

Atualizado

2026-07-09

·

CVE-2026-53638

CVSS v3.1

4.3

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Impact

An authorization bypass vulnerability exists in the shop account API. The PATCH /api/v2/shop/account/orders/{tokenValue}/payments/{paymentId} endpoint, used by an authenticated shop customer to change the payment method of an order that has been placed but not yet paid (state STATE NEW), does not validate that the chosen payment method is enabled for the order's channel. The equivalent checkout endpoint (PATCH /api/v2/shop/orders/{tokenValue}/payments/{paymentId}) correctly rejects out-of-channel payment methods with HTTP 422; the account endpoint silently accepts them and returns HTTP 200.
An authenticated customer can therefore assign any globally enabled payment method to their own placed order, including methods that the store operator has explicitly excluded from that channel.

Patches

The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6 and above.

Workarounds

If users cannot bump Sylius right now, decorate the SyliusBundleApiBundleChangerPaymentMethodChangerInterface service in their applications.

Step 1. Create the decorator

src/Decorator/ChannelCheckingPaymentMethodChanger.php:
php
<?php

declare(strict types=1);

namespace AppDecorator;

use ApiPlatformValidatorExceptionValidationException;
use SyliusBundleApiBundleChangerPaymentMethodChangerInterface;
use SyliusComponentCoreModelOrderInterface;
use SyliusComponentCoreModelPaymentMethodInterface;
use SyliusComponentCoreRepositoryPaymentMethodRepositoryInterface;
use SyliusComponentCoreRepositoryPaymentRepositoryInterface;
use SyliusComponentPaymentResolverPaymentMethodsResolverInterface;
use SymfonyComponentValidatorConstraintViolation;
use SymfonyComponentValidatorConstraintViolationList;
use SymfonyContractsTranslationTranslatorInterface;

final readonly class ChannelCheckingPaymentMethodChanger implements PaymentMethodChangerInterface
{
  public function  construct(
    private PaymentMethodChangerInterface $decorated,
    private PaymentRepositoryInterface $paymentRepository,
    private PaymentMethodRepositoryInterface $paymentMethodRepository,
    private PaymentMethodsResolverInterface $paymentMethodsResolver,
    private TranslatorInterface $translator,
  ) {
  }

  public function changePaymentMethod(string $paymentMethodCode, mixed $paymentId, OrderInterface $order): OrderInterface
  {
    /** @var PaymentMethodInterface|null $paymentMethod */
    $paymentMethod = $this->paymentMethodRepository->findOneBy(['code' => $paymentMethodCode]);
    $payment = $this->paymentRepository->findOneByOrderId($paymentId, $order->getId());

    if (
      $paymentMethod !== null
      && $payment !== null
      && !in array($paymentMethod, $this->paymentMethodsResolver->getSupportedMethods($payment), true)
    ) {
      $template = 'sylius.payment method.not available';
      $parameters = ['%name%' => (string) $paymentMethod->getName()];

      throw new ValidationException(new ConstraintViolationList([
        new ConstraintViolation(
          message: $this->translator->trans($template, $parameters, 'validators'),
          messageTemplate: $template,
          parameters: $parameters,
          root: $paymentMethodCode,
          propertyPath: '',
          invalidValue: $paymentMethodCode,
        ),
      ]));
    }

    return $this->decorated->changePaymentMethod($paymentMethodCode, $paymentId, $order);
  }
}

Step 2. Register the decorator

config/services.yaml (append to the application's existing services: block):
yaml
services:
  AppDecoratorChannelCheckingPaymentMethodChanger:
    decorates: sylius api.changer.payment method
    arguments:
      - '@.inner'
      - '@sylius.repository.payment'
      - '@sylius.repository.payment method'
      - '@sylius.resolver.payment methods'
      - '@translator'
@.inner references the original PaymentMethodChangerInterface implementation, so any future Sylius change to the changer keeps working through the decorator.

Step 3. Clear the cache

bash
bin/console cache:clear

Reporters

We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:
  • Fredrik Dietrichson (@FredrikEV)

For more information

If there are any questions or comments about this advisory:

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-53638
GHSA-6955-HRM5-C4QP

Produtos afetados

Sylius/Sylius