Race Condition in Sylius eCommerce Framework Affecting Promotions and Coupons
CVE-2026-31824

8.2HIGH

Key Information:

Vendor: Sylius
Status: Sylius
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-31824?

A race condition in the Sylius eCommerce Framework's promotion and coupon usage limit enforcement allows attackers to exploit concurrent requests, enabling the same limited-use offers to be redeemed multiple times without authentication. This vulnerability arises from a Time-of-Check to Time-of-Use flaw, where eligibility checks using in-memory doctrine entities fail to synchronize with the actual usage increment during order completion. As a result, multiple carts can use the same promotion, leading to potential financial losses for businesses through unlimited promotional redemptions.

Affected Version(s)

Sylius >= 2.2.0, < 2.2.3 < 2.2.0, 2.2.3

Sylius >= 2.1.0, < 2.1.12 < 2.1.0, 2.1.12

Sylius >= 2.0.0, < 2.0.16 < 2.0.0, 2.0.16

References

https://github.com/Sylius/Sylius/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31824 Data

JSON