CVE-2026-27567
Received Received - Intake
SSRF in Payload CMS External File Upload Enables Internal Access

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27567
EUVD
EUVD-2026-8467
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
payloadcms payload to 3.75.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27567 is a Server-Side Request Forgery (SSRF) vulnerability in the Payload CMS, a headless content management system. This vulnerability exists in versions prior to 3.75.0 within the external file upload functionality. Specifically, when processing external URLs for file uploads, the system insufficiently validates HTTP redirects. This flaw allows an authenticated attacker with write permissions on an upload-enabled collection to trick the server into sending requests to internal network resources that are normally inaccessible.

The attacker can exploit this by providing a URL that redirects to internal services, thereby bypassing security checks that only validate the initial URL. As a result, the attacker can retrieve response content from internal services through the application.

To be vulnerable, the environment must have at least one collection with upload enabled and a user with create access to that collection. The vulnerability was patched in version 3.75.0 by adding manual handling and validation of redirects during external file uploads.

Impact Analysis

This vulnerability can allow an authenticated attacker with upload write permissions to access internal network services that are otherwise protected from external access. By exploiting the insufficient validation of HTTP redirects, the attacker can make the server send requests to internal endpoints and retrieve sensitive response data.

The impact includes unauthorized disclosure of confidential information and potential manipulation of internal services, affecting the confidentiality and integrity of the system. The CVSS v3.1 base score is 6.5, indicating a moderate severity with high confidentiality and integrity impact but no impact on availability.

Compliance Impact

I don't know

Detection Guidance

Detection of this SSRF vulnerability involves identifying whether your Payload CMS instance is running a version prior to 3.75.0 and if it has at least one collection with external file uploads enabled and users with create access to those collections.

Since the vulnerability exploits HTTP redirects during external file uploads, monitoring or logging HTTP requests made by the Payload server to external URLs and internal network resources can help detect exploitation attempts.

Suggested commands or approaches include:

  • Check the Payload CMS version installed: `payload --version` or check package.json dependencies.
  • Audit user permissions on collections with upload enabled to identify users with create access.
  • Monitor outgoing HTTP requests from the server, for example using network monitoring tools like `tcpdump` or `wireshark` to capture requests to internal IP ranges.
  • Use application logs to detect unusual file upload requests that include external URLs, especially those that result in redirects.
  • If possible, enable verbose logging or debugging in Payload CMS to capture details of external file upload processing.
Mitigation Strategies

Immediate mitigation steps before upgrading Payload CMS to version 3.75.0 include:

  • Disable external file uploads by setting the `disableExternalFile` option on upload-enabled collections.
  • Restrict `create` access on upload-enabled collections to only trusted users to reduce the risk of exploitation.
  • Plan and perform an upgrade to Payload CMS version 3.75.0 or later, which contains the patch that properly validates HTTP redirects during external file uploads.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart