GHSA-mr9r-h354-966r: Sylius: IDOR on Shop Payment Request API endpoints
Impact
The GET /api/v2/shop/payment-requests/{hash} and PUT /api/v2/shop/payment-requests/{hash} endpoints look up the payment request solely by the hash from the URL. No ownership check is performed against the authenticated customer or the underlying order.
An attacker who obtains a payment request hash can:
- read the payment request and, through the payment IRI in the response, recover the underlying order's tokenValue (which itself grants access to the full order, items, addresses, customer email, totals);
- update the payment request payload (e.g. target_path, after_path). These fields are used by the front-end controller to redirect the user after the payment, so an attacker can flip them to an attacker-controlled URL and intercept the buyer.
The hash is a UUID, so it has to be obtained out-of-band (logs, shared links, referrer headers, a co-located client), but once it is known no other credential is required, neither authentication nor knowledge of the order token.
The creation endpoint POST /api/v2/shop/orders/{tokenValue}/payment-requests shares the same flaw: it resolves the target order solely from the tokenValue in the URL without verifying that the caller owns the order.
Patches
The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6.
Workarounds
Until you can upgrade, apply the following workaround. It enforces ownership on the existing endpoints, so that:
- an authenticated shop user may only access payment requests of their own orders;
- an anonymous caller may only access payment requests of guest orders (the order's customer has no associated user account);
- everyone else receives 404 Not Found.
Step 1. Add a query extension that filters the GET operation
Create file src/ApiPlatform/QueryExtension/PaymentRequestOwnershipExtension.php:
<?php
declare(strict_types=1);
namespace App\ApiPlatform\QueryExtension;
use ApiPlatform\Doctrine\Orm\Extension\QueryItemExtensionInterface;
use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
Details
Original advisory: https://github.com/advisories/GHSA-mr9r-h354-966r
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53639 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10