CVE-2026-39397
Received Received - Intake
Access Control Bypass in @delmaredigital/payload-puck Plugin Endpoints

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39397
EUVD
EUVD-2026-19921
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
delmaredigital payload-puck to 0.6.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade the @delmaredigital/payload-puck plugin to version 0.6.23 or later, where the issue is fixed.

Executive Summary

The vulnerability exists in the @delmaredigital/payload-puck plugin for PayloadCMS, specifically in versions prior to 0.6.23. The plugin's /api/puck/* CRUD endpoints called Payload's local API with the overrideAccess option set to true by default. This setting bypassed all collection-level access controls, meaning that access restrictions defined on collections or passed to the plugin were ignored. As a result, unauthorized users could perform create, read, update, or delete operations on data without proper permission checks.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthorized users to bypass access controls and perform CRUD operations on data collections. This can lead to unauthorized data exposure, modification, or deletion. The CVSS score of 9.4 indicates a high severity, with potential for complete confidentiality, integrity, and partial availability loss.

Compliance Impact

This vulnerability allows bypassing all collection-level access control in the PayloadCMS plugin, which means unauthorized users could access, modify, or delete sensitive data through the /api/puck/* CRUD endpoints.

Such unauthorized access and potential data breaches can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive personal and health information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart