Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 npm packages depend on payload (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.79.1.
DescriptionGitHub Advisory
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
AnalysisAI
Payload CMS versions prior to 3.79.1 contain a cross-site request forgery (CSRF) vulnerability in the authentication flow that allows attackers to bypass configured CSRF protections and perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction (clicking a malicious link) but affects all unauthenticated network-accessible instances. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
This vulnerability represents a failure in CSRF token validation mechanisms (CWE-352: Cross-Site Request Forgery) within Payload's authentication subsystem. CSRF protections typically rely on cryptographic tokens tied to user sessions; this flaw indicates a condition where these tokens could be circumvented-potentially through token reuse, timing issues, or improper scope binding between token and request context. The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L), meaning standard HTTP requests are sufficient without requiring special network positioning. Payload is a headless CMS built on Node.js/TypeScript commonly used in modern web architectures, making authentication CSRF a critical attack surface.
RemediationAI
Upgrade Payload CMS to version 3.79.1 or later immediately. This is the vendor-released patch that fixes the CSRF protection bypass. For npm users, run npm install payload@3.79.1 and rebuild. Docker users should pull the latest image corresponding to v3.79.1 or higher. Consult the official release notes at https://github.com/payloadcms/payload/releases/tag/v3.79.1 for any breaking changes or migration guidance. Until patching is complete, consider restricting access to the CMS admin interface via network controls (VPN, allowlisted IP ranges) to reduce the likelihood of users clicking malicious links while authenticated.
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbit
Payload CMS prior to 3.73.0 has a SQL injection vulnerability when querying structured data, enabling database compromis
Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissi
SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and
Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions t
Payload CMS prior to v3.75.0 contains a Server-Side Request Forgery vulnerability in its external file upload feature th
Payload is a free and open source headless content management system. Rated medium severity (CVSS 6.5), this vulnerabili
Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18017
GHSA-p6mr-xf3r-ghq4