Executive Summary

CVE-2026-34746 is an authenticated Server-Side Request Forgery (SSRF) vulnerability found in the Payload CMS software versions prior to 3.79.1. It affects the upload functionality, where authenticated users who have create or update permissions on collections with upload enabled can trick the server into making outbound HTTP requests to arbitrary URLs. This happens because the server does not properly validate the destinations of these requests, allowing attackers to induce the server to send requests to unintended locations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to internal or external network resources by allowing an attacker to make the server send HTTP requests to arbitrary URLs. The impact is primarily on confidentiality, as sensitive information accessible through these requests could be exposed. The vulnerability does not affect the integrity or availability of the system but poses a high risk due to the potential exposure of confidential data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the server making outbound HTTP requests to arbitrary URLs when an authenticated user with create or update access to an upload-enabled collection exploits the upload functionality. Detection can focus on monitoring outbound HTTP requests originating from the Payload CMS server, especially those triggered by authenticated users performing upload operations.

Suggested detection methods include:

• Monitor network traffic from the Payload server for unusual or unexpected outbound HTTP requests.
• Check server logs for upload activity by authenticated users with create or update permissions.
• Use network monitoring tools or commands such as `tcpdump` or `wireshark` to capture outbound HTTP requests from the server.
• Example command to capture outbound HTTP requests on port 80 or 443 from the server:
• tcpdump -i <interface> -nn -s0 -A 'tcp dst port 80 or tcp dst port 443'
• Review application logs or enable verbose logging in Payload CMS to identify upload requests that trigger outbound connections.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, it is recommended to upgrade Payload CMS to version 3.79.1 or later, where the issue has been patched.

If upgrading is not immediately possible, interim mitigations include:

• Restrict create and update access on upload-enabled collections to only trusted roles or users.
• Limit outbound network access from the Payload server to prevent it from making arbitrary HTTP requests.

Useful 0 Not Useful 0

Compliance Impact

The authenticated Server-Side Request Forgery (SSRF) vulnerability in Payload CMS prior to version 3.79.1 allows attackers to cause the server to make outbound HTTP requests to arbitrary URLs, potentially leading to unauthorized access to internal or external network resources.

This unauthorized access could result in exposure of sensitive data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require strict controls over data confidentiality and access.

Because the vulnerability has a high impact on confidentiality (CVSS score 7.7) and allows attackers to bypass expected security boundaries, organizations using vulnerable versions of Payload CMS might face increased risk of data breaches or unauthorized data disclosure, thereby affecting their compliance posture.

Mitigations such as upgrading to version 3.79.1 or later, restricting create and update access on upload-enabled collections to trusted roles, and limiting outbound network access from the Payload server are recommended to reduce this risk and help maintain compliance.

Useful 0 Not Useful 0