Sylius

v2.2.6 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1d API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

api api-ecommerce ecommerce ecommerce-platform headless headless-ecommerce

+8 more

php rest restful-api shop shopping-cart sylius symfony symfony-bundle

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 1d

The v2.2.6 release fixes several critical security issues affecting shop payment and order APIs, a CSRF handling bug, and adds minor feature enhancements.

Why it matters: Addresses IDOR and bypass vulnerabilities (severity 95) in payment request and account order endpoints; patches CSRF token handling (severity 50). Operators should upgrade immediately to prevent unauthorized payments or data exposure.

Summary

AI summary

Updates Details, https://github.com/michalkaczmarek-bitbag, and https://github.com/TheMilek across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Fixes IDOR on Shop Payment Request endpoints in API. Fixes IDOR on Shop Payment Request endpoints in API. Source: llm_adapter@2026-06-02 Confidence: high	—
Security	Critical	Fixes channel‑based payment method restriction bypass on shop account orders API endpoint. Fixes channel‑based payment method restriction bypass on shop account orders API endpoint. Source: llm_adapter@2026-06-02 Confidence: high	—
Security	Critical	Fixes Cart FormComponent allowing modification or deletion of a completed order. Fixes Cart FormComponent allowing modification or deletion of a completed order. Source: llm_adapter@2026-06-02 Confidence: low	—
Security	High	Prevents Cart FormComponent from modifying or deleting a completed order. Prevents Cart FormComponent from modifying or deleting a completed order. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Medium	Adds appendError method to ResponseCheckerInterface. Adds appendError method to ResponseCheckerInterface. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Medium	Exposes ShippingMethod DeliveryTimeDays in admin API. Exposes ShippingMethod DeliveryTimeDays in admin API. Source: llm_adapter@2026-06-02 Confidence: low	—
Bugfix
Bugfix	Medium	Fixes modals appearing behind backdrop on sticky page‑header. Fixes modals appearing behind backdrop on sticky page‑header. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Fixes CSRF token handling issue. Fixes CSRF token handling issue. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Fixes attribute card style for product show page. Fixes attribute card style for product show page. Source: llm_adapter@2026-06-02 Confidence: low	—
Bugfix	Medium	Fixes "Undefined array key 0" error in PathPrefixProvider when path equals API route. Fixes "Undefined array key 0" error in PathPrefixProvider when path equals API route. Source: llm_adapter@2026-06-02 Confidence: low	—
Bugfix	Medium	Fixes 404 error on GET /shop/products/{code} when all associated products are disabled. Fixes 404 error on GET /shop/products/{code} when all associated products are disabled. Source: llm_adapter@2026-06-02 Confidence: low	—

Full changelog

TL;DR

🔒 This is a security release!

Fixes the following vulnerabilities:

Details

#18989 Fix modals appearing behind backdrop on sticky page-header (@bartek-sek)
#18990 Fix attribute card style for product show (@shochdoerfer)
#18988 BUGFIX: Expose ShippingMethod *DeliveryTimeDays in admin API (@daniellienert)
#19009 [ApiBundle][Tests] Add regression test for anonymous cart pickup wit… (@Wojdylak)
#19012 [ApiBundle] Fix "Undefined array key 0" in PathPrefixProvider when path equals API route (@michalkaczmarek-bitbag)
#19001 Bugfix/csrf token (@michalkaczmarek-bitbag)
#19017 Add appendError method to ResponseCheckerInterface (@Prometee)
#19018 [ApiBundle] Fix 404 on GET /shop/products/{code} when all associated products are disabled (@michalkaczmarek-bitbag)
#19024 [2.2] [AttributeBundle] make Add and Delete button translatable in product attribute select type (@crydotsnake)
#19025 [API] Add regression tests for cross-customer cart item access (@GSadee)
#19026 [API] Slim down Swagger UI override and drop broken auto-auth JS (@GSadee)
#19038 [2.1] Prevent stale cart LiveComponents from mutating completed orders (@TheMilek)
#19039 [2.1][API] Enforce channel eligibility check when changing payment method via account endpoint (@TheMilek)
#19040 [2.1] Check payment request ownership (@TheMilek)

Full Changelog: https://github.com/Sylius/Sylius/compare/v2.2.5...v2.2.6

Security Fixes

GHSA-mr9r-h354-966r – IDOR on Shop Payment Request endpoints in API
GHSA-6955-hrm5-c4qp – Channel‑based payment method restriction bypass on shop account orders API endpoint
GHSA-5597-7rmh-97q5 – Cart FormComponent allows modification or deletion of an already‑completed order

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Sylius

Get notified when new releases ship.

About Sylius

Symfony2 powered open source full-stack platform for eCommerce.

All releases →