Skip to main content

Payload Puck

1 CVEs product

Monthly

CVE-2026-39397 npm CRITICAL PATCH GHSA Act Now

Access control bypass in PayloadCMS Puck plugin (delmaredigital/payload-puck) versions prior to 0.6.23 allows unauthenticated remote attackers to perform unauthorized CRUD operations on all Puck-managed content collections. The vulnerability stems from hardcoded overrideAccess: true in API endpoint handlers, completely circumventing collection-level access controls that developers implemented. With CVSS 9.4 (critical severity), CVSS vector PR:N confirms no authentication required, and AC:L indicates trivial exploitation. No CISA KEV listing or public exploit identified at time of analysis, but the vulnerability is straightforward to exploit given the network-accessible API endpoints and complete access control failure.

Authentication Bypass Payload Puck
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.0%
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Access control bypass in PayloadCMS Puck plugin (delmaredigital/payload-puck) versions prior to 0.6.23 allows unauthenticated remote attackers to perform unauthorized CRUD operations on all Puck-managed content collections. The vulnerability stems from hardcoded overrideAccess: true in API endpoint handlers, completely circumventing collection-level access controls that developers implemented. With CVSS 9.4 (critical severity), CVSS vector PR:N confirms no authentication required, and AC:L indicates trivial exploitation. No CISA KEV listing or public exploit identified at time of analysis, but the vulnerability is straightforward to exploit given the network-accessible API endpoints and complete access control failure.

Authentication Bypass Payload Puck
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy