Skip to main content

CVE-2026-34751

| EUVDEUVD-2026-17991 CRITICAL
External Control of Assumed-Immutable Web Parameter (CWE-472)
2026-04-01 https://github.com/payloadcms/payload GHSA-hp5w-3hxx-vmwf
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 16:15 euvd
EUVD-2026-17991
Analysis Generated
Apr 01, 2026 - 16:15 vuln.today
CVE Published
Apr 01, 2026 - 16:08 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on @payloadcms/graphql (1 direct, 1 indirect)
  • 2 npm packages depend on payload (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.79.1 and other introduced versions.

DescriptionGitHub Advisory

Impact

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Users are affected if:

  • They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in forgot-password functionality.

Patches

Input validation and URL construction in the password recovery flow have been hardened.

Users should upgrade to v3.79.1 or later.

Workarounds

There are no complete workarounds. Upgrading to v3.79.1 is recommended.

AnalysisAI

Account takeover via password reset flow in Payload CMS versions prior to 3.79.1 allows unauthenticated remote attackers to perform actions on behalf of users who initiate password recovery. The vulnerability stems from insufficient input validation and URL construction (CWE-472: External Control of Assumed-Immutable Web Parameter), enabling attackers to intercept or manipulate the password reset process without authentication. Affects all auth-enabled collections using built-in forgot-password functionality. CVSS 9.1 (Critical) with network-accessible, low-complexity exploitation requiring no privileges. EPSS data not available; no public exploit identified at time of analysis, but the GitHub security advisory provides detailed technical context increasing weaponization risk.

Technical ContextAI

This vulnerability exploits CWE-472 (External Control of Assumed-Immutable Web Parameter), where the password recovery flow in Payload CMS inadequately validates or sanitizes parameters used in URL construction. Payload is a TypeScript-based headless CMS (npm packages: payload, @payloadcms/graphql) that provides authentication mechanisms including password reset functionality. The flaw allows attackers to manipulate parameters in the forgot-password workflow-likely through host header injection, open redirect, or token leakage via referer headers-to redirect password reset tokens or callbacks to attacker-controlled endpoints. This enables session hijacking or credential theft when legitimate users request password resets. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is remotely executable with no authentication barriers and minimal complexity, making it trivially exploitable against any Payload CMS instance with exposed authentication endpoints.

RemediationAI

Immediate upgrade to Payload CMS version 3.79.1 or later is required, as confirmed in the release notes at https://github.com/payloadcms/payload/releases/tag/v3.79.1. The patch hardens input validation and URL construction in the password recovery flow to prevent parameter manipulation attacks. No complete workarounds exist-partial mitigations like disabling password reset functionality would break legitimate user workflows and are not sustainable. Organizations should prioritize patching internet-facing instances first, then internal systems. After upgrading, review authentication logs for suspicious password reset activity patterns (high volume requests, unusual geographic origins, or rapid token generation) that may indicate historical exploitation attempts. Consult the GitHub security advisory GHSA-hp5w-3hxx-vmwf for additional technical guidance and verify the fix addresses your specific deployment configuration.

Share

CVE-2026-34751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy