Sylius

v2.0.18 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1d API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

api api-ecommerce ecommerce ecommerce-platform headless headless-ecommerce

+8 more

php rest restful-api shop shopping-cart sylius symfony symfony-bundle

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 1d

Release v2.0.18 patches three critical security flaws: an IDOR on Shop Payment Request API endpoints, a bypass of payment method restrictions on the Shop Account Orders API endpoint, and unauthorized modification/deletion of completed orders via Cart FormComponent.

Why it matters: Severity scores of 95 affect key commerce APIs; operators must upgrade to v2.0.18 immediately to remediate high‑impact vulnerabilities.

Summary

AI summary

Updates Details, https://github.com/TheMilek, and https://github.com/Sylius/Sylius/security/advisories/GHSA-mr9r-h354-966r across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Fixes IDOR on Shop Payment Request endpoints in API Fixes IDOR on Shop Payment Request endpoints in API Source: llm_adapter@2026-06-02 Confidence: high	—
Security	Critical	Fixes channel-based payment method restriction bypass on shop account orders API endpoint Fixes channel-based payment method restriction bypass on shop account orders API endpoint Source: llm_adapter@2026-06-02 Confidence: high	—
Security	Critical	Fixes Cart FormComponent allowing modification or deletion of completed orders Fixes Cart FormComponent allowing modification or deletion of completed orders Source: llm_adapter@2026-06-02 Confidence: low	—
Security	High	Prevents Cart FormComponent from modifying or deleting completed orders Prevents Cart FormComponent from modifying or deleting completed orders Source: granite4.1:30b@2026-06-02-audit Confidence: low	—

Full changelog

TL;DR

🔒 This is a security release!

Fixes the following vulnerabilities:

Details

#19035 [2.0] Check payment request ownership (@TheMilek)
#19036 [2.0] Prevent stale cart LiveComponents from mutating completed orders (@TheMilek)
#19037 [2.0][API] Enforce channel eligibility check when changing payment method via account endpoint (@TheMilek)

Full Changelog: https://github.com/Sylius/Sylius/compare/v2.0.17...v2.0.18

Security Fixes

GHSA-mr9r-h354-966r — IDOR on Shop Payment Request endpoints in API
GHSA-6955-hrm5-c4qp — Channel-based payment method restriction bypass on shop account orders API endpoint
GHSA-5597-7rmh-97q5 — Cart FormComponent allows modification or deletion of an already-completed order

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Sylius

Get notified when new releases ship.

About Sylius

Symfony2 powered open source full-stack platform for eCommerce.

All releases →