Executive Summary

CVE-2026-11779 is an authenticated account lockout bypass vulnerability in PayloadCMS version 3.84.1 caused by insufficient access control on the account unlock operation.

Specifically, when an authentication-enabled collection does not override the default access.unlock policy, any authenticated user can use the POST /api/users/unlock endpoint to unlock arbitrary user accounts by providing the target user's email address.

This allows a low-privileged attacker to bypass the application's account lockout protections, such as maxLoginAttempts and lockTime, enabling them to repeatedly reset the lockout state of a target account.

As a result, the attacker can continue guessing passwords without waiting for the lockout period to expire, effectively defeating brute-force protection mechanisms.

The vulnerability affects default templates that inherit this behavior and currently has no available patch.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with low privileges to bypass account lockout protections by unlocking user accounts arbitrarily.

By resetting the lockout state repeatedly, the attacker can perform brute-force password guessing attacks without being blocked by lockout mechanisms.

This increases the risk of unauthorized access to user accounts, potentially leading to account compromise and unauthorized actions within the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring requests to the POST /api/users/unlock endpoint in PayloadCMS version 3.84.1. Specifically, look for authenticated users attempting to unlock accounts by providing email addresses that they should not have access to.

Commands to detect potential exploitation attempts could include inspecting web server logs or using network monitoring tools to filter for POST requests to /api/users/unlock with unusual or repeated email parameters.

• Use grep or similar tools on server logs: grep 'POST /api/users/unlock' /path/to/access.log
• Use curl or HTTP client tools to test the endpoint with different authenticated user tokens to verify if account unlocks are improperly authorized.
• Monitor for repeated unlock attempts from low-privileged accounts which may indicate exploitation of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the POST /api/users/unlock endpoint to only highly privileged users by implementing stricter access control policies.

Since there is currently no patch available, it is important to override the default access.unlock policy in your PayloadCMS configuration to prevent low-privileged authenticated users from unlocking arbitrary accounts.

Additionally, monitor and audit unlock requests to detect and respond to suspicious activity promptly.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows low-privileged authenticated users to bypass account lockout protections by unlocking arbitrary user accounts. This undermines the application's brute-force protection mechanisms, potentially leading to unauthorized access to user accounts.

Such unauthorized access risks compromising sensitive personal data, which could negatively impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of user information.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Useful 0 Not Useful 0