CVE-2026-34749
CSRF Vulnerability in Payload CMS Authentication Flow Allows Bypass
Publication date: 2026-04-01
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| payloadcms | payload | to 3.79.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-34749 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-34749 is a Cross-Site Request Forgery (CSRF) vulnerability found in the authentication flow of the Payload CMS software versions prior to 3.79.1.
Under certain conditions, the existing CSRF protection can be bypassed, allowing attackers to make unauthorized cross-site requests without the user's intent or knowledge.
This means an attacker could trick a logged-in user into performing actions they did not intend by exploiting insufficient verification that requests originate from legitimate users.
The vulnerability requires the Payload version to be below 3.79.1 and that the serverURL is configured.
It was fixed in version 3.79.1 by adding extra validation steps in the authentication flow to prevent CSRF bypass.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on behalf of authenticated users without their consent.
The impact includes potential unauthorized modification of data (integrity impact) and possible disruption of service availability, although confidentiality is not affected.
Because the attack can be performed remotely and with low complexity, it poses a moderate security risk.
Users of vulnerable versions should upgrade to 3.79.1 or later to mitigate this risk.
A temporary mitigation involves setting the session cookie's SameSite attribute to 'Strict', which prevents the session cookie from being sent in cross-site requests but may inconvenience users by requiring re-authentication when accessing the application from external links.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Payload CMS versions prior to 3.79.1 where the CSRF protection in the authentication flow can be bypassed under certain conditions. Detection involves verifying the version of Payload CMS in use and checking if the serverURL configuration is present.
There are no specific commands provided to detect the vulnerability directly on the network or system. However, you can check the installed Payload CMS version by running commands such as:
- npm list payload
- or check the package.json file for the Payload CMS version.
Additionally, monitoring for unexpected cross-site requests or unusual authentication behaviors might help identify exploitation attempts, but no explicit detection commands are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Payload CMS to version 3.79.1 or later, where the vulnerability has been patched by adding additional validation in the authentication flow.
If upgrading immediately is not possible, a temporary mitigation is to set the session cookie's SameSite attribute to 'Strict'. This prevents the session cookie from being sent in cross-site requests, reducing the risk of CSRF attacks.
Note that this temporary mitigation may force users to re-authenticate when accessing the application via external links, such as from emails or other websites.