CVE-2026-31821: Sylius is Missing Authorization in API v2 Add Item Endpoint

The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers’ carts by knowing the cart tokenValue.

POST /api/v2/shop/orders/{tokenValue}/items

Other mutation endpoints (PUT, PATCH, DELETE) are not affected. API Platform loads the Order entity through the state provider for these operations, which triggers VisitorBasedExtension and returns 404 for unauthorized users.

An attacker who obtains a cart tokenValue can add arbitrary items to another customer’s cart. The endpoint returns the full cart representation in the response (HTTP 201), potentially leaking:

• Customer email address
• Cart contents (products, quantities, prices)
• Address data (billing and shipping if set)
• Payment and shipment IDs
• Order totals and tax breakdown
• Checkout state