Can you explain this vulnerability to me?

CVE-2026-27567 is a Server-Side Request Forgery (SSRF) vulnerability in the Payload CMS, a headless content management system. This vulnerability exists in versions prior to 3.75.0 within the external file upload functionality. Specifically, when processing external URLs for file uploads, the system insufficiently validates HTTP redirects. This flaw allows an authenticated attacker with write permissions on an upload-enabled collection to trick the server into sending requests to internal network resources that are normally inaccessible.

The attacker can exploit this by providing a URL that redirects to internal services, thereby bypassing security checks that only validate the initial URL. As a result, the attacker can retrieve response content from internal services through the application.

To be vulnerable, the environment must have at least one collection with upload enabled and a user with create access to that collection. The vulnerability was patched in version 3.75.0 by adding manual handling and validation of redirects during external file uploads.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an authenticated attacker with upload write permissions to access internal network services that are otherwise protected from external access. By exploiting the insufficient validation of HTTP redirects, the attacker can make the server send requests to internal endpoints and retrieve sensitive response data.

The impact includes unauthorized disclosure of confidential information and potential manipulation of internal services, affecting the confidentiality and integrity of the system. The CVSS v3.1 base score is 6.5, indicating a moderate severity with high confidentiality and integrity impact but no impact on availability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this SSRF vulnerability involves identifying whether your Payload CMS instance is running a version prior to 3.75.0 and if it has at least one collection with external file uploads enabled and users with create access to those collections.

Since the vulnerability exploits HTTP redirects during external file uploads, monitoring or logging HTTP requests made by the Payload server to external URLs and internal network resources can help detect exploitation attempts.

Suggested commands or approaches include:

• Check the Payload CMS version installed: `payload --version` or check package.json dependencies.
• Audit user permissions on collections with upload enabled to identify users with create access.
• Monitor outgoing HTTP requests from the server, for example using network monitoring tools like `tcpdump` or `wireshark` to capture requests to internal IP ranges.
• Use application logs to detect unusual file upload requests that include external URLs, especially those that result in redirects.
• If possible, enable verbose logging or debugging in Payload CMS to capture details of external file upload processing.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps before upgrading Payload CMS to version 3.75.0 include:

• Disable external file uploads by setting the `disableExternalFile` option on upload-enabled collections.
• Restrict `create` access on upload-enabled collections to only trusted users to reduce the risk of exploitation.
• Plan and perform an upgrade to Payload CMS version 3.75.0 or later, which contains the patch that properly validates HTTP redirects during external file uploads.

Useful 0 Not Useful 0