Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 npm packages depend on @payloadcms/graphql (1 direct, 1 indirect)
- 2 npm packages depend on payload (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.79.1 and other introduced versions.
DescriptionGitHub Advisory
Impact
A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.
Users are affected if:
- They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in
forgot-passwordfunctionality.
Patches
Input validation and URL construction in the password recovery flow have been hardened.
Users should upgrade to v3.79.1 or later.
Workarounds
There are no complete workarounds. Upgrading to v3.79.1 is recommended.
AnalysisAI
Account takeover via password reset flow in Payload CMS versions prior to 3.79.1 allows unauthenticated remote attackers to perform actions on behalf of users who initiate password recovery. The vulnerability stems from insufficient input validation and URL construction (CWE-472: External Control of Assumed-Immutable Web Parameter), enabling attackers to intercept or manipulate the password reset process without authentication. Affects all auth-enabled collections using built-in forgot-password functionality. CVSS 9.1 (Critical) with network-accessible, low-complexity exploitation requiring no privileges. EPSS data not available; no public exploit identified at time of analysis, but the GitHub security advisory provides detailed technical context increasing weaponization risk.
Technical ContextAI
This vulnerability exploits CWE-472 (External Control of Assumed-Immutable Web Parameter), where the password recovery flow in Payload CMS inadequately validates or sanitizes parameters used in URL construction. Payload is a TypeScript-based headless CMS (npm packages: payload, @payloadcms/graphql) that provides authentication mechanisms including password reset functionality. The flaw allows attackers to manipulate parameters in the forgot-password workflow-likely through host header injection, open redirect, or token leakage via referer headers-to redirect password reset tokens or callbacks to attacker-controlled endpoints. This enables session hijacking or credential theft when legitimate users request password resets. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is remotely executable with no authentication barriers and minimal complexity, making it trivially exploitable against any Payload CMS instance with exposed authentication endpoints.
RemediationAI
Immediate upgrade to Payload CMS version 3.79.1 or later is required, as confirmed in the release notes at https://github.com/payloadcms/payload/releases/tag/v3.79.1. The patch hardens input validation and URL construction in the password recovery flow to prevent parameter manipulation attacks. No complete workarounds exist-partial mitigations like disabling password reset functionality would break legitimate user workflows and are not sustainable. Organizations should prioritize patching internet-facing instances first, then internal systems. After upgrading, review authentication logs for suspicious password reset activity patterns (high volume requests, unusual geographic origins, or rapid token generation) that may indicate historical exploitation attempts. Consult the GitHub security advisory GHSA-hp5w-3hxx-vmwf for additional technical guidance and verify the fix addresses your specific deployment configuration.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17991
GHSA-hp5w-3hxx-vmwf