CVE-2026-31824

Name of the Vulnerable Software and Affected Versions Sylius versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 and above

Description Sylius, an Open Source eCommerce Framework on Symfony, contains a Time-of-Check To Time-of-Use (TOCTOU) race condition in the promotion usage limit enforcement. This affects the global used counter on Promotion entities, the global used counter on PromotionCoupon entities, and the per-customer redemption count on PromotionCoupon entities. The vulnerability arises because eligibility checks read usage counters from memory while actual usage increments occur later without database-level locking or atomic operations. Concurrent requests can bypass usage limits due to Doctrine flushing absolute values instead of atomic increments and the lack of optimistic locking. An attacker can exploit this by submitting multiple orders with the same limited-use promotion or coupon simultaneously via the '/api/v2/shop/orders/{token}/complete' API endpoint. This allows a single-use promotion or coupon to be redeemed multiple times, potentially leading to financial loss. No authentication is required for exploitation. The vulnerable parameters include the token variable in the API endpoint.

Recommendations Sylius version 1.9.12 and above Sylius version 1.10.16 and above Sylius version 1.11.17 and above Sylius version 1.12.23 and above Sylius version 1.13.15 and above Sylius version 1.14.18 and above Sylius version 2.0.16 and above Sylius version 2.1.12 and above Sylius version 2.2.3 and above