CVE-2026-31820

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-31820
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31820.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31820
Aliases
Published
2026-03-10T21:22:37.052Z
Modified
2026-03-13T13:45:50.372061Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Sylius affected by IDOR in Cart and Checkout LiveComponents
Details

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

Database specific 
{
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31820.json"
}
References

Affected packages

Git / github.com/sylius/sylius

Affected ranges

Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
7aa47be3a617f75337d73d245352ea700bc8a1ef
Fixed
111d96b1bea7cb59bc2f7b4c6d35d5cd05872195
Database specific 
{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
a5a816f9f1fcb5abd2d42b27801656aa2ae9bf0d
Fixed
d8092f21ee9606b0155231fe892d9d54fc44986e
Database specific 
{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.1.12"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
6dd3ca9895be7ab7e6cb71f37af2ef66af17cbe0
Fixed
af579b0b6eaa10ea0883fb458484718c80fc96c7
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.16"
        }
    ]
}

Affected versions

v1.*
v1.13.10
v1.13.11
v1.13.9
v1.14.1
v1.14.10
v1.14.11
v1.14.12
v1.14.13
v1.14.14
v1.14.15
v1.14.16
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31820.json"