Skip to main content

Payload EUVDEUVD-2026-18017

| CVE-2026-34749 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-01 security-advisories@github.com GHSA-p6mr-xf3r-ghq4
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 20:27 euvd
EUVD-2026-18017
Analysis Generated
Apr 01, 2026 - 20:27 vuln.today
CVE Published
Apr 01, 2026 - 20:16 nvd
MEDIUM 5.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on payload (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.79.1.

DescriptionGitHub Advisory

Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.

AnalysisAI

Payload CMS versions prior to 3.79.1 contain a cross-site request forgery (CSRF) vulnerability in the authentication flow that allows attackers to bypass configured CSRF protections and perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction (clicking a malicious link) but affects all unauthenticated network-accessible instances. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

This vulnerability represents a failure in CSRF token validation mechanisms (CWE-352: Cross-Site Request Forgery) within Payload's authentication subsystem. CSRF protections typically rely on cryptographic tokens tied to user sessions; this flaw indicates a condition where these tokens could be circumvented-potentially through token reuse, timing issues, or improper scope binding between token and request context. The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L), meaning standard HTTP requests are sufficient without requiring special network positioning. Payload is a headless CMS built on Node.js/TypeScript commonly used in modern web architectures, making authentication CSRF a critical attack surface.

RemediationAI

Upgrade Payload CMS to version 3.79.1 or later immediately. This is the vendor-released patch that fixes the CSRF protection bypass. For npm users, run npm install payload@3.79.1 and rebuild. Docker users should pull the latest image corresponding to v3.79.1 or higher. Consult the official release notes at https://github.com/payloadcms/payload/releases/tag/v3.79.1 for any breaking changes or migration guidance. Until patching is complete, consider restricting access to the CMS admin interface via network controls (VPN, allowlisted IP ranges) to reduce the likelihood of users clicking malicious links while authenticated.

Share

EUVD-2026-18017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy