CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53639

mediumcovered by 1 sourcefirst seen 2026-07-09
Impact The GET /api/v2/shop/payment-requests/{hash} and PUT /api/v2/shop/payment-requests/{hash} endpoints look up the payment request solely by the hash from the URL. No ownership check is performed against the authenticated customer or the underlying order. An attacker who obtains a payment request hash can: - read the payment request and, through the payment IRI in the response, recover the underlying order's tokenValue (which itself grants access to the full order, items, addresses, customer email, totals); - update the payment request payload (e.g. target_path, after_path). These fields are used by the front-end controller to redirect the user after the payment, so an attacker can flip them to an attacker-controlled URL and intercept the buyer. The hash is a UUID, so it has to be obtained out-of-band (logs, shared links, referrer headers, a co-located client), but once it is known no other credential is required, neither authentication nor knowledge of the order token. The creation endpoint POST /api/v2/shop/orders/{tokenValue}/payment-requests shares the same flaw: it resolves the target order solely from the tokenValue in the URL without verifying that the caller owns the order. Patches The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6. Workarounds Until you can upgrade, apply the following workaround. It enforces ownership on the existing endpoints, so that: - an authenticated shop user may only access payment requests of their own orders; - an anonymous caller may only access payment requests of guest orders (the order's customer has no associated user account); - everyone else receives 404 Not Found. Step 1. Add a query extension that filters the GET operation Create file src/ApiPlatform/QueryExtension/PaymentRequestOwnershipExtension.php: <?php declare(strict_types=1); namespace App\ApiPlatform\QueryExtension; use ApiPlatform\Doctrine\Orm\Extension\QueryItemExtensionInterface; use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;

⚡ Watch CVE-2026-53639

Get an email if CVE-2026-53639 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53639

CVE.org record

Embed the live status

CVE-2026-53639 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53639 status](https://www.csirts.com/badge/CVE-2026-53639)](https://www.csirts.com/cve/CVE-2026-53639)