I had this particular issue. Once an order is created, I, the Admin, couldn't edit the order. It's not a bug or anything. It's a security update which opencart implemented via user/api, and is called during several operations on site, ie Order Additions, Deletions or Modifications.
For it to work for you, ask your host to disable mod_security for urls with "admin", or urls containing your IP Address, or check if your htaccess can overide and disable it from there.
You can also exclude per request/method type 'POST' or 'GET'.
Please note, Latest mod_sec is mod_security2
Guess am happy after I found out the real issue.
It happens in this block:
