CVE-2026-34751
Authentication Bypass in PayloadCMS Password Recovery Flow
Publication date: 2026-04-01
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| payloadcms | payload | to 3.79.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-472 | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34751 is a critical vulnerability in the password recovery flow of Payload CMS that allows an unauthenticated attacker to perform actions on behalf of a user initiating a password reset. This leads to high confidentiality and integrity loss, which can impact the protection of personal and sensitive data.
Such a vulnerability could negatively affect compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect user data confidentiality and integrity. Unauthorized actions on user accounts during password recovery could lead to unauthorized access to personal data, violating these standards.
The vulnerability was patched in version 3.79.1 by hardening input validation and URL construction in the password recovery process, mitigating the risk and helping maintain compliance.
Can you explain this vulnerability to me?
CVE-2026-34751 is a critical vulnerability in the Payload CMS, specifically affecting the password recovery flow in versions prior to 3.79.1. It allows an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This happens because of unvalidated input and insufficient input validation in the password recovery endpoints, which can be exploited without any privileges or user interaction.
The vulnerability is classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) and CWE-640 (Weak Password Recovery Mechanism), meaning the system fails to properly verify inputs assumed to be immutable and uses a weak password recovery process that does not require the original password.
How can this vulnerability impact me? :
This vulnerability can lead to a high impact on confidentiality and integrity because an attacker can perform unauthorized actions on behalf of a user during the password reset process. This could allow the attacker to manipulate user accounts or gain unauthorized access to sensitive information.
The attack vector is network-based with low complexity, requiring no privileges or user interaction, making it relatively easy to exploit. However, there is no impact on system availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the password recovery endpoints of Payload CMS versions prior to 3.79.1, specifically in the forgot-password functionality where unvalidated input allows unauthorized actions.
Detection can focus on monitoring network traffic for suspicious or unauthorized password reset requests, especially those that do not require authentication and may manipulate hidden form fields or URL parameters.
Since the vulnerability involves unvalidated input in password recovery flows, commands to inspect HTTP requests to the password reset endpoints could help detect exploitation attempts.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to password recovery endpoints, e.g., `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and look for suspicious payloads.
- Use web server logs to search for unusual or repeated POST requests to paths related to password reset, e.g., `grep -i 'forgot-password' /var/log/nginx/access.log` or equivalent.
- Employ application-level logging or monitoring to detect password reset requests that do not follow expected validation patterns or originate from unexpected IP addresses.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Payload CMS and @payloadcms/graphql packages to version 3.79.1 or later, where the vulnerability has been patched.
This update includes hardened input validation and improved URL construction in the password recovery process to prevent unauthorized actions.
No complete workarounds exist, so upgrading is strongly recommended to fully mitigate the risk.
Additionally, reviewing and tightening access controls and monitoring password recovery flows for suspicious activity can help reduce risk until the upgrade is applied.