An access control bypass in the Payload-Puck plugin for PayloadCMS allows unauthorized users to manipulate data via API endpoints.

The createPuckPlugin() function incorrectly calls the Payload local API with overrideAccess: true, which ignores all defined collection-level access rules. This effectively disables security for the affected API endpoints, allowing any user to interact with the data.

This vulnerability (CVSS 9.4) allows unauthorized access to data managed by the Puck visual page builder. The business impact includes potential unauthorized modification or deletion of content, and exposure of sensitive data, which could lead to significant data integrity loss.

Immediate Action: Update the @delmaredigital/payload-puck plugin to version 0.6.23 or later.

Proactive Monitoring: Review API access logs for unauthorized CRUD operations directed toward the /api/puck/* endpoints.

Compensating Controls: Implement external API gateway restrictions to enforce authorization rules if the plugin cannot be updated immediately.

Public Exploit Available: No

Plugin updates should be applied immediately to restore proper access control. Administrators should also conduct an audit of data touched by the Puck plugin to ensure no unauthorized changes were made while the vulnerability was active.