{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-34746/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-34746"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-34746","ssrf","payload-cms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePayload CMS, a free and open-source headless content management system, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-34746) in versions prior to 3.79.1. This flaw allows authenticated users with create or update permissions to upload-enabled collections to trigger the server to initiate outbound HTTP requests to arbitrary URLs. This vulnerability stems from insufficient validation of user-supplied URLs during the upload process. An attacker could potentially exploit this to scan internal networks, access internal services, or conduct other malicious activities. The vulnerability has been addressed in version 3.79.1 of Payload CMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Payload CMS application with create or update access to an upload-enabled collection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing a URL intended for server-side processing via the upload functionality. This URL could point to an internal service, a file on the local system, or an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted request to the Payload CMS server through the upload mechanism.\u003c/li\u003e\n\u003cli\u003eThe Payload CMS server, lacking adequate validation of the provided URL, processes the request.\u003c/li\u003e\n\u003cli\u003eThe server initiates an HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe server receives the response from the targeted URL.\u003c/li\u003e\n\u003cli\u003eThe response is potentially processed or returned by the Payload CMS application depending on the specific implementation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to internal resources or services, or potentially uses the server as a proxy for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-34746) can allow an attacker to perform unauthorized actions such as internal port scanning, accessing sensitive data from internal services, or leveraging the compromised server as a proxy to conduct attacks against other systems. This could lead to data breaches, service disruption, or further compromise of the affected infrastructure. Although the precise number of installations affected is unknown, organizations using versions of Payload CMS prior to 3.79.1 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Payload CMS to version 3.79.1 or later to patch the SSRF vulnerability (CVE-2026-34746).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on all user-supplied URLs, especially those used in upload functionality, to prevent SSRF attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual outbound HTTP requests originating from the Payload CMS server to detect potential SSRF exploitation. Deploy the Sigma rule detecting outbound connections from the webserver.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful SSRF attack by restricting access to sensitive internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T20:16:26Z","date_published":"2026-04-01T20:16:26Z","id":"/briefs/2026-04-payload-cms-ssrf/","summary":"Payload CMS versions before 3.79.1 are vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated users with upload access to trigger outbound HTTP requests to arbitrary URLs.","title":"Payload CMS SSRF Vulnerability (CVE-2026-34746)","url":"https://feed.craftedsignal.io/briefs/2026-04-payload-cms-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-34746","version":"https://jsonfeed.org/version/1.1"}