CVE-2026-31824
Published: 10 March 2026
Summary
CVE-2026-31824 is a high-severity Race Condition (CWE-362) vulnerability in Sylius Sylius. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through vendor patches directly fixes the TOCTOU race condition by implementing atomic increments and locking for promotion and coupon usage counters.
Denial-of-service protections such as rate limiting on order completion API endpoints prevent attackers from sending the simultaneous requests required to exploit the race condition.
System monitoring detects anomalous patterns of concurrent order completions using the same promotion or coupon, indicating exploitation of the usage limit bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
TOCTOU race condition in public Sylius eCommerce API (no auth, PATCH /complete) directly enables T1190 exploitation of internet-facing app; resulting unlimited discount redemptions cause merchant financial loss matching T1657.
NVD Description
Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion…
more
entities), coupon usage limit (the global used counter on PromotionCoupon entities), and coupon per-customer usage limit (the per-customer redemption count on PromotionCoupon entities). In all three cases, the eligibility check reads the used counter (or order count) from an in-memory Doctrine entity during validation, while the actual usage increment in OrderPromotionsUsageModifier happens later during order completion — with no database-level locking or atomic operations between the two phases. Because Doctrine flushes an absolute value (SET used = 1) rather than an atomic increment (SET used = used + 1), and because the affected entities lack optimistic locking, concurrent requests all read the same stale usage counts and pass the eligibility checks simultaneously. An attacker can exploit this by preparing multiple carts with the same limited-use promotion or coupon and firing simultaneous PATCH /api/v2/shop/orders/{token}/complete requests. All requests pass the usage limit checks and complete successfully, allowing a single-use promotion or coupon to be redeemed an arbitrary number of times. The per-customer limit can be bypassed in the same way by a single customer completing multiple orders concurrently. No authentication is required to exploit this vulnerability. This may lead to direct financial loss through unlimited redemption of limited-use promotions and discount coupons. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Deeper analysisAI
CVE-2026-31824 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in the promotion usage limit enforcement of Sylius, an open-source eCommerce framework built on Symfony. The issue affects the global used counter on Promotion entities, the global used counter on PromotionCoupon entities, and the per-customer redemption count on PromotionCoupon entities. During validation, eligibility checks read usage counters from in-memory Doctrine entities, but the actual increment occurs later in the OrderPromotionsUsageModifier during order completion, without database-level locking or atomic operations. Doctrine flushes absolute values rather than atomic increments, and the entities lack optimistic locking, allowing concurrent requests to read stale counts and bypass limits.
The vulnerability can be exploited by unauthenticated attackers who prepare multiple carts using the same limited-use promotion or coupon and simultaneously send PATCH requests to /api/v2/shop/orders/{token}/complete. All requests pass the eligibility checks and complete successfully, enabling arbitrary redemptions of single-use promotions or coupons. A single customer can similarly bypass per-customer limits by completing multiple orders concurrently. Successful exploitation leads to direct financial loss for merchants through unlimited discount redemptions. The CVSS v3.1 base score is 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), linked to CWEs 362 (Concurrent Execution using Shared Resource with Improper Synchronization) and 367 (TOCTOU Race Condition).
The GitHub Security Advisory (GHSA-7mp4-25j8-hp5q) confirms the fix in Sylius versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3, and above. Security practitioners should upgrade affected deployments immediately and review concurrent order processing in eCommerce APIs for similar race conditions.
Details
- CWE(s)