Executive Summary

CVE-2026-34750 is a vulnerability in the Payload CMS storage adapters for S3, Google Cloud Storage (GCS), Azure, and R2, specifically in the client-upload signed-URL endpoints prior to version 3.78.0.

The issue arises because these endpoints do not properly sanitize filenames submitted by clients. This allows an attacker to craft filenames that can escape the intended storage location, effectively performing a path traversal attack (CWE-22).

This means the pathname of the uploaded file can resolve outside the restricted directory, potentially allowing unauthorized access or modification of files.

The vulnerability has been patched in version 3.78.0 by improving filename validation for client uploads.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to modify data in your storage system without authorization.

Because the flaw enables path traversal, an attacker could upload files outside the intended storage location, potentially overwriting or injecting malicious files.

The CVSS score indicates a moderate severity with a high integrity impact, meaning the confidentiality and availability of data are not affected, but the integrity (accuracy and trustworthiness) of data can be compromised.

Exploitation requires low privileges and no user interaction, making it easier for attackers with some access to cause harm.

Until patched, it is recommended to restrict access to the client-upload signed-URL endpoints to trusted users only to reduce risk.

Useful 0 Not Useful 0

Mitigation Strategies

Until upgrading to version 3.78.0 or later, users are advised to limit access to client-upload signed-URL endpoints to trusted users only to mitigate exploitation risk.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to craft filenames that escape the intended storage location, enabling unauthorized modification of data (integrity impact). Such unauthorized data modification could potentially lead to non-compliance with standards and regulations that require data integrity and protection, such as GDPR and HIPAA.

However, the CVE description and resources do not explicitly mention compliance impacts or specific regulatory concerns related to this vulnerability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects versions of @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3 prior to 3.78.0 that do not properly sanitize filenames in client-upload signed-URL endpoints. Detection involves identifying if your system is running a vulnerable version of Payload CMS storage adapters and monitoring for suspicious or crafted filenames attempting path traversal.

To detect this vulnerability on your system, first verify the installed versions of the affected packages. For example, you can check the installed versions using npm commands:

• npm list @payloadcms/storage-azure @payloadcms/storage-gcs @payloadcms/storage-r2 @payloadcms/storage-s3

If any of these packages are below version 3.78.0, your system is potentially vulnerable.

To detect exploitation attempts on your network or system, monitor logs for unusual or crafted filenames in requests to client-upload signed-URL endpoints that include path traversal patterns such as '../' or encoded variants.

• Use command-line tools like grep to search server logs for suspicious filename patterns, for example:
• grep -E '\.\./|%2e%2e' /path/to/your/logs/access.log

Additionally, monitoring network traffic for requests to the signed-URL endpoints with unusual filename parameters can help detect exploitation attempts.

Useful 0 Not Useful 0