Skip to main content

Payload Puck EUVDEUVD-2026-19921

| CVE-2026-39397 CRITICAL
Missing Authorization (CWE-862)
2026-04-07 GitHub_M GHSA-65w6-pf7x-5g85
9.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 15, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 20:31 euvd
EUVD-2026-19921
Analysis Generated
Apr 07, 2026 - 20:31 vuln.today
CVE Published
Apr 07, 2026 - 20:09 nvd
CRITICAL 9.4

DescriptionGitHub Advisory

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.

AnalysisAI

Access control bypass in PayloadCMS Puck plugin (delmaredigital/payload-puck) versions prior to 0.6.23 allows unauthenticated remote attackers to perform unauthorized CRUD operations on all Puck-managed content collections. The vulnerability stems from hardcoded overrideAccess: true in API endpoint handlers, completely circumventing collection-level access controls that developers implemented. With CVSS 9.4 (critical severity), CVSS vector PR:N confirms no authentication required, and AC:L indicates trivial exploitation. No CISA KEV listing or public exploit identified at time of analysis, but the vulnerability is straightforward to exploit given the network-accessible API endpoints and complete access control failure.

Technical ContextAI

This vulnerability affects the payload-puck plugin (CPE: cpe:2.3:a:delmaredigital:payload-puck), which integrates Puck visual page builder with PayloadCMS. The root cause is CWE-862 (Missing Authorization), where the createPuckPlugin() function registered API route handlers for /api/puck/* CRUD endpoints that invoke Payload's local API with overrideAccess: true hardcoded. In PayloadCMS architecture, overrideAccess is a privileged flag that bypasses all access control hooks and collection-level permission checks. The plugin silently ignored both the access configuration option passed to createPuckPlugin() and any access control rules defined on Puck-registered collections, effectively exposing administrative-level data manipulation capabilities through public API endpoints. This represents a complete failure of the authorization layer for all Puck-managed content.

RemediationAI

Upgrade immediately to delmaredigital/payload-puck version 0.6.23 or later, which removes the hardcoded overrideAccess: true flag and properly enforces access control configurations. The fix is implemented in commit 9148201c6bbfa140d44546438027a2f8a70f79a4 available at https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4. No workarounds are available short of patching, as the access control bypass is embedded in the plugin's core endpoint registration logic. After upgrading, verify that access control rules on Puck collections are properly configured and test that unauthenticated requests to /api/puck/* endpoints are correctly rejected according to your security policies. Review application logs for any suspicious CRUD operations on Puck collections that occurred prior to patching, as unauthorized access may have occurred without authentication failures being logged. Consult the full security advisory at https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85 for additional context.

Share

EUVD-2026-19921 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy