{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/payload-cms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-34746"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-34746","ssrf","payload-cms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePayload CMS, a free and open-source headless content management system, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-34746) in versions prior to 3.79.1. This flaw allows authenticated users with create or update permissions to upload-enabled collections to trigger the server to initiate outbound HTTP requests to arbitrary URLs. This vulnerability stems from insufficient validation of user-supplied URLs during the upload process. An attacker could potentially exploit this to scan internal networks, access internal services, or conduct other malicious activities. The vulnerability has been addressed in version 3.79.1 of Payload CMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Payload CMS application with create or update access to an upload-enabled collection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing a URL intended for server-side processing via the upload functionality. This URL could point to an internal service, a file on the local system, or an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted request to the Payload CMS server through the upload mechanism.\u003c/li\u003e\n\u003cli\u003eThe Payload CMS server, lacking adequate validation of the provided URL, processes the request.\u003c/li\u003e\n\u003cli\u003eThe server initiates an HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe server receives the response from the targeted URL.\u003c/li\u003e\n\u003cli\u003eThe response is potentially processed or returned by the Payload CMS application depending on the specific implementation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to internal resources or services, or potentially uses the server as a proxy for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-34746) can allow an attacker to perform unauthorized actions such as internal port scanning, accessing sensitive data from internal services, or leveraging the compromised server as a proxy to conduct attacks against other systems. This could lead to data breaches, service disruption, or further compromise of the affected infrastructure. Although the precise number of installations affected is unknown, organizations using versions of Payload CMS prior to 3.79.1 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Payload CMS to version 3.79.1 or later to patch the SSRF vulnerability (CVE-2026-34746).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on all user-supplied URLs, especially those used in upload functionality, to prevent SSRF attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual outbound HTTP requests originating from the Payload CMS server to detect potential SSRF exploitation. Deploy the Sigma rule detecting outbound connections from the webserver.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful SSRF attack by restricting access to sensitive internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T20:16:26Z","date_published":"2026-04-01T20:16:26Z","id":"/briefs/2026-04-payload-cms-ssrf/","summary":"Payload CMS versions before 3.79.1 are vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated users with upload access to trigger outbound HTTP requests to arbitrary URLs.","title":"Payload CMS SSRF Vulnerability (CVE-2026-34746)","url":"https://feed.craftedsignal.io/briefs/2026-04-payload-cms-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-34751"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34751","payload-cms","password-reset","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePayload CMS is a free and open-source headless content management system. Prior to version 3.79.1, a critical vulnerability (CVE-2026-34751) exists in the \u003ccode\u003e@payloadcms/graphql\u003c/code\u003e and \u003ccode\u003epayload\u003c/code\u003e components concerning the password recovery flow. This flaw allows an unauthenticated attacker to potentially perform actions as a legitimate user who has initiated a password reset process. The vulnerability arises from improper handling of password reset tokens or insufficient validation during the password reset process. The maintainers addressed this issue in version 3.79.1. Organizations using affected versions of Payload CMS should upgrade immediately to prevent potential account compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a valid username on the Payload CMS instance.\u003c/li\u003e\n\u003cli\u003eAttacker initiates the password reset process for the target user via the CMS login page.\u003c/li\u003e\n\u003cli\u003eThe CMS sends a password reset email to the valid user, containing a unique password reset link.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or gains access to the password reset link (e.g., via sniffing network traffic, although unlikely in a modern HTTPS-enabled setup, or social engineering).\u003c/li\u003e\n\u003cli\u003eAttacker uses the intercepted password reset link to access the password reset form.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the attacker can successfully change the password without proper validation or authorization checks beyond the initial link.\u003c/li\u003e\n\u003cli\u003eThe attacker sets a new password for the user account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Payload CMS using the compromised account credentials, gaining unauthorized access and potentially escalating privileges depending on the account\u0026rsquo;s role.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34751 allows an unauthenticated attacker to compromise user accounts within the Payload CMS. The impact ranges from unauthorized data access and modification to complete account takeover, potentially affecting all users on the CMS instance, including administrators. Given the headless nature of Payload CMS, this can lead to content manipulation, defacement, or even backend data breaches, impacting any applications or services relying on the CMS for content delivery.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Payload CMS to version 3.79.1 or later to patch CVE-2026-34751, addressing the flawed password recovery flow.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Payload CMS Password Reset Abuse\u003c/code\u003e to detect suspicious password reset activity (log source: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual password reset requests or access patterns, and correlate these with potential attempts to exploit CVE-2026-34751.\u003c/li\u003e\n\u003cli\u003eConsider implementing multi-factor authentication (MFA) to mitigate the risk of account takeover even if the password reset process is compromised.\u003c/li\u003e\n\u003cli\u003eReview and strengthen password policies, encouraging users to use strong, unique passwords to minimize the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor for password reset requests originating from unusual source IPs (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T18:16:31Z","date_published":"2026-04-01T18:16:31Z","id":"/briefs/2026-04-payload-cms-reset-vuln/","summary":"An unauthenticated attacker can perform actions on behalf of a user initiating a password reset in Payload CMS versions prior to 3.79.1 due to a flaw in the password recovery flow, potentially leading to account takeover or privilege escalation.","title":"Payload CMS Password Reset Vulnerability (CVE-2026-34751)","url":"https://feed.craftedsignal.io/briefs/2026-04-payload-cms-reset-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Payload-Cms","version":"https://jsonfeed.org/version/1.1"}