<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Puck - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/puck/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/puck/feed.xml" rel="self" type="application/rss+xml"/><item><title>PayloadCMS Puck Plugin Access Control Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-payload-puck-access-control-bypass/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-payload-puck-access-control-bypass/</guid><description>A critical vulnerability in @delmaredigital/payload-puck versions prior to 0.6.23 allows attackers to bypass collection-level access controls in PayloadCMS via the /api/puck/* endpoints due to improper access configuration, leading to unauthorized data manipulation.</description><content:encoded><![CDATA[<p>The @delmaredigital/payload-puck plugin, designed to integrate the Puck visual page builder with PayloadCMS, contains a critical access control vulnerability. In versions prior to 0.6.23, the <code>/api/puck/*</code> CRUD endpoint handlers, registered by <code>createPuckPlugin()</code>, call Payload's local API with <code>overrideAccess: true</code> by default. This configuration effectively bypasses all collection-level access control mechanisms defined within PayloadCMS. Consequently, any access options passed to <code>createPuckPlugin()</code> or access rules defined on Puck-registered collections are silently ignored, granting unauthorized access to data and potentially enabling malicious actors to perform CRUD operations without proper authentication or authorization. This vulnerability allows for defense evasion and unauthorized data modification within PayloadCMS instances utilizing vulnerable versions of the plugin. It is crucial to upgrade to version 0.6.23 or later to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a PayloadCMS instance running a vulnerable version of the <code>@delmaredigital/payload-puck</code> plugin (prior to 0.6.23).</li>
<li>The attacker crafts a malicious HTTP request targeting a <code>/api/puck/*</code> endpoint, such as <code>/api/puck/pages/create</code>, <code>/api/puck/pages/update</code>, or <code>/api/puck/pages/delete</code>.</li>
<li>The attacker injects unauthorized data or commands within the request body, exploiting the lack of access control checks.</li>
<li>The <code>createPuckPlugin()</code> function processes the request, calling Payload's local API with <code>overrideAccess: true</code>.</li>
<li>PayloadCMS's access control mechanisms are bypassed due to the <code>overrideAccess</code> setting.</li>
<li>The attacker's unauthorized data or commands are executed, potentially creating, updating, or deleting sensitive data within the PayloadCMS instance.</li>
<li>The attacker may escalate privileges by modifying user roles or creating new administrative accounts via the exposed API endpoints.</li>
<li>The attacker exfiltrates sensitive data or defaces the website.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to bypass access controls and perform unauthorized CRUD operations on PayloadCMS collections. This could lead to data breaches, data manipulation, privilege escalation, and complete compromise of the affected PayloadCMS instance. The impact is particularly severe for organizations relying on PayloadCMS to manage sensitive content or critical business processes. The CVSS v3.1 base score is 9.4, indicating a critical severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>@delmaredigital/payload-puck</code> plugin to version 0.6.23 or later to remediate the access control bypass vulnerability (CVE-2026-39397).</li>
<li>Deploy the provided Sigma rule &quot;Detect Unauthorized Access to PayloadCMS Puck Endpoints&quot; to identify potential exploitation attempts targeting the <code>/api/puck/*</code> endpoints.</li>
<li>Review and audit existing PayloadCMS access control configurations to ensure proper restrictions are in place after upgrading the <code>@delmaredigital/payload-puck</code> plugin.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>payloadcms</category><category>puck</category><category>access-control-bypass</category><category>cve-2026-39397</category></item></channel></rss>