Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
5DescriptionGitHub Advisory
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
AnalysisAI
Access control bypass in PayloadCMS Puck plugin (delmaredigital/payload-puck) versions prior to 0.6.23 allows unauthenticated remote attackers to perform unauthorized CRUD operations on all Puck-managed content collections. The vulnerability stems from hardcoded overrideAccess: true in API endpoint handlers, completely circumventing collection-level access controls that developers implemented. With CVSS 9.4 (critical severity), CVSS vector PR:N confirms no authentication required, and AC:L indicates trivial exploitation. No CISA KEV listing or public exploit identified at time of analysis, but the vulnerability is straightforward to exploit given the network-accessible API endpoints and complete access control failure.
Technical ContextAI
This vulnerability affects the payload-puck plugin (CPE: cpe:2.3:a:delmaredigital:payload-puck), which integrates Puck visual page builder with PayloadCMS. The root cause is CWE-862 (Missing Authorization), where the createPuckPlugin() function registered API route handlers for /api/puck/* CRUD endpoints that invoke Payload's local API with overrideAccess: true hardcoded. In PayloadCMS architecture, overrideAccess is a privileged flag that bypasses all access control hooks and collection-level permission checks. The plugin silently ignored both the access configuration option passed to createPuckPlugin() and any access control rules defined on Puck-registered collections, effectively exposing administrative-level data manipulation capabilities through public API endpoints. This represents a complete failure of the authorization layer for all Puck-managed content.
RemediationAI
Upgrade immediately to delmaredigital/payload-puck version 0.6.23 or later, which removes the hardcoded overrideAccess: true flag and properly enforces access control configurations. The fix is implemented in commit 9148201c6bbfa140d44546438027a2f8a70f79a4 available at https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4. No workarounds are available short of patching, as the access control bypass is embedded in the plugin's core endpoint registration logic. After upgrading, verify that access control rules on Puck collections are properly configured and test that unauthenticated requests to /api/puck/* endpoints are correctly rejected according to your security policies. Review application logs for any suspicious CRUD operations on Puck collections that occurred prior to patching, as unauthorized access may have occurred without authentication failures being logged. Consult the full security advisory at https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85 for additional context.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19921
GHSA-65w6-pf7x-5g85