CVE-2026-31820

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3

Description Sylius, an Open Source eCommerce Framework on Symfony, contains an authenticated Insecure Direct Object Reference (IDOR) issue in several shop LiveComponents. This is due to unvalidated resource IDs accepted via the #[LiveArg] parameters. Actions accepting resource IDs via #[LiveArg] and loading them with ->find() without ownership validation are affected. Specifically, the Checkout address FormComponent’s addressFieldUpdated action accepts an addressId via #[LiveArg], potentially exposing another user's personal information including first name, last name, company, phone number, street, city, postcode, and country. The Cart WidgetComponent’s refreshCart action and Cart SummaryComponent’s refreshCart action both accept a cartId via #[LiveArg], allowing direct access to order data such as order total and item count, subtotal, discount, shipping cost, taxes, and order total. Because sylius order contains both active carts and completed orders in the same ID space, the cart IDOR can expose data from all orders.

Recommendations Update Sylius to version 2.0.16 or later. Update Sylius to version 2.1.12 or later. Update Sylius to version 2.2.3 or later.