{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/payloadcms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.4,"id":"CVE-2026-39397"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["payload-puck plugin","PayloadCMS"],"_cs_severities":["critical"],"_cs_tags":["payloadcms","puck","access-control-bypass","cve-2026-39397"],"_cs_type":"advisory","_cs_vendors":["Delmare Digital","PayloadCMS"],"content_html":"\u003cp\u003eThe @delmaredigital/payload-puck plugin, designed to integrate the Puck visual page builder with PayloadCMS, contains a critical access control vulnerability. In versions prior to 0.6.23, the \u003ccode\u003e/api/puck/*\u003c/code\u003e CRUD endpoint handlers, registered by \u003ccode\u003ecreatePuckPlugin()\u003c/code\u003e, call Payload's local API with \u003ccode\u003eoverrideAccess: true\u003c/code\u003e by default. This configuration effectively bypasses all collection-level access control mechanisms defined within PayloadCMS. Consequently, any access options passed to \u003ccode\u003ecreatePuckPlugin()\u003c/code\u003e or access rules defined on Puck-registered collections are silently ignored, granting unauthorized access to data and potentially enabling malicious actors to perform CRUD operations without proper authentication or authorization. This vulnerability allows for defense evasion and unauthorized data modification within PayloadCMS instances utilizing vulnerable versions of the plugin. It is crucial to upgrade to version 0.6.23 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a PayloadCMS instance running a vulnerable version of the \u003ccode\u003e@delmaredigital/payload-puck\u003c/code\u003e plugin (prior to 0.6.23).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a \u003ccode\u003e/api/puck/*\u003c/code\u003e endpoint, such as \u003ccode\u003e/api/puck/pages/create\u003c/code\u003e, \u003ccode\u003e/api/puck/pages/update\u003c/code\u003e, or \u003ccode\u003e/api/puck/pages/delete\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects unauthorized data or commands within the request body, exploiting the lack of access control checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreatePuckPlugin()\u003c/code\u003e function processes the request, calling Payload's local API with \u003ccode\u003eoverrideAccess: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePayloadCMS's access control mechanisms are bypassed due to the \u003ccode\u003eoverrideAccess\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eThe attacker's unauthorized data or commands are executed, potentially creating, updating, or deleting sensitive data within the PayloadCMS instance.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges by modifying user roles or creating new administrative accounts via the exposed API endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or defaces the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass access controls and perform unauthorized CRUD operations on PayloadCMS collections. This could lead to data breaches, data manipulation, privilege escalation, and complete compromise of the affected PayloadCMS instance. The impact is particularly severe for organizations relying on PayloadCMS to manage sensitive content or critical business processes. The CVSS v3.1 base score is 9.4, indicating a critical severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@delmaredigital/payload-puck\u003c/code\u003e plugin to version 0.6.23 or later to remediate the access control bypass vulnerability (CVE-2026-39397).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect Unauthorized Access to PayloadCMS Puck Endpoints\u0026quot; to identify potential exploitation attempts targeting the \u003ccode\u003e/api/puck/*\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eReview and audit existing PayloadCMS access control configurations to ensure proper restrictions are in place after upgrading the \u003ccode\u003e@delmaredigital/payload-puck\u003c/code\u003e plugin.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-payload-puck-access-control-bypass/","summary":"A critical vulnerability in @delmaredigital/payload-puck versions prior to 0.6.23 allows attackers to bypass collection-level access controls in PayloadCMS via the /api/puck/* endpoints due to improper access configuration, leading to unauthorized data manipulation.","title":"PayloadCMS Puck Plugin Access Control Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-payload-puck-access-control-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - PayloadCMS","version":"https://jsonfeed.org/version/1.1"}