Skip to main content

Payload EUVDEUVD-2026-18011

| CVE-2026-34746 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-01 security-advisories@github.com GHSA-6r7f-q7f5-wpx8
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 20:27 euvd
EUVD-2026-18011
Analysis Generated
Apr 01, 2026 - 20:27 vuln.today
CVE Published
Apr 01, 2026 - 20:16 nvd
HIGH 7.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on payload (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.79.1.

DescriptionGitHub Advisory

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.

AnalysisAI

Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions to force the server to make HTTP requests to arbitrary URLs, potentially exposing internal network resources and sensitive data. The vulnerability affects the upload functionality and enables information disclosure with high confidentiality impact. CVSS score of 7.7 reflects network-accessible attack vector with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the vulnerability requires only basic authenticated access to upload-enabled collections.

Technical ContextAI

Payload CMS is a TypeScript-based headless content management system built on Node.js that provides RESTful and GraphQL APIs for content delivery. This vulnerability stems from CWE-918 (Server-Side Request Forgery), where the upload functionality fails to properly validate or sanitize URLs provided during file upload operations. When processing upload requests, the application makes outbound HTTP requests to user-controlled URLs without adequate validation, allowing authenticated attackers to proxy requests through the server. The CVSS vector PR:L indicates low-privilege authentication is required, meaning any authenticated user with create or update permissions on collections configured with upload functionality can exploit this. The scope change (S:C) indicates the vulnerability affects resources beyond the vulnerable component, typical of SSRF attacks that can pivot to internal network resources, cloud metadata endpoints (AWS EC2 metadata, Azure IMDS), or internal services not directly accessible from the attacker's network position.

RemediationAI

Upgrade immediately to Payload CMS version 3.79.1 or later, which contains the complete fix for this SSRF vulnerability. The vendor-released patch is available through the official GitHub releases at https://github.com/payloadcms/payload/releases/tag/v3.79.1. Organizations should prioritize this upgrade for any internet-facing Payload CMS installations or deployments with access to sensitive internal resources. As a temporary risk reduction measure pending upgrade, review and restrict user permissions on upload-enabled collections to only trusted administrators, though this does not eliminate the vulnerability. Network segmentation and egress filtering can provide defense-in-depth by limiting which external or internal resources the Payload CMS server can reach, reducing the impact of successful SSRF exploitation. The GitHub security advisory at https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8 provides additional technical details and context.

Share

EUVD-2026-18011 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy