Sylius

v2.1.15 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1d API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

api api-ecommerce ecommerce ecommerce-platform headless headless-ecommerce

+8 more

php rest restful-api shop shopping-cart sylius symfony symfony-bundle

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 1d

The v2.1.15 release fixes several security issues in Shop APIs and frontend components, including IDOR vulnerabilities and unauthorized order modifications.

Why it matters: Addresses high‑severity (severity 95) IDOR flaws on Payment Request and Account Orders endpoints; prevents Cart FormComponent from altering completed orders (severity 80). Operators should apply the update promptly to eliminate these critical access risks.

Summary

AI summary

Updates Details, https://github.com/TheMilek, and https://github.com/Sylius/Sylius/security/advisories/GHSA-mr9r-h354-966r across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Fixes IDOR on Shop Payment Request endpoints in API Fixes IDOR on Shop Payment Request endpoints in API Source: llm_adapter@2026-06-02 Confidence: high	—
Security	Critical	Fixes channel-based payment method restriction bypass on shop account orders API endpoint Fixes channel-based payment method restriction bypass on shop account orders API endpoint Source: llm_adapter@2026-06-02 Confidence: high	—
Security	Critical	Fixes Cart FormComponent allowing modification or deletion of completed orders Fixes Cart FormComponent allowing modification or deletion of completed orders Source: llm_adapter@2026-06-02 Confidence: low	—
Security	High	Prevents Cart FormComponent from modifying or deleting completed orders Prevents Cart FormComponent from modifying or deleting completed orders Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix
Bugfix	Medium	Prevents stale cart LiveComponents from mutating completed orders Prevents stale cart LiveComponents from mutating completed orders Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Enforces channel eligibility check when changing payment method via account endpoint Enforces channel eligibility check when changing payment method via account endpoint Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Checks payment request ownership to prevent unauthorized access Checks payment request ownership to prevent unauthorized access Source: llm_adapter@2026-06-02 Confidence: high	—

Full changelog

TL;DR

🔒 This is a security release!

Fixes the following vulnerabilities:

Details

#19038 [2.1] Prevent stale cart LiveComponents from mutating completed orders (@TheMilek)
#19039 [2.1][API] Enforce channel eligibility check when changing payment method via account endpoint (@TheMilek)
#19040 [2.1] Check payment request ownership (@TheMilek)

Full Changelog: https://github.com/Sylius/Sylius/compare/v2.1.14...v2.1.15

Security Fixes

GHSA-mr9r-h354-966r — IDOR on Shop Payment Request endpoints in the API
GHSA-6955-hrm5-c4qp — Channel‑based payment method restriction bypass on shop account orders API endpoint
GHSA-5597-7rmh-97q5 — Cart FormComponent allows modification or deletion of an already‑completed order

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Sylius

Get notified when new releases ship.

About Sylius

Symfony2 powered open source full-stack platform for eCommerce.

All releases →