CVE-2026-34751

Payload · Payload CMS

A vulnerability in the Payload CMS password recovery flow allows unauthenticated attackers to perform unauthorized actions on behalf of users initiating a password reset.

Executive summary

An unauthenticated vulnerability in Payload CMS enables attackers to hijack user sessions during the password recovery process, posing a critical risk to account integrity.

Vulnerability

This is an authentication bypass vulnerability within the password recovery workflow of Payload CMS. An unauthenticated attacker can exploit this flaw to execute actions as a legitimate user who has initiated a password reset request.

Business impact

The ability for an unauthorized party to act on behalf of a legitimate user constitutes a severe breach of access control. Given the CVSS score of 9.1, this vulnerability could lead to total account takeover, unauthorized data modification, and potential exfiltration of sensitive information, resulting in significant reputational and operational damage.

Remediation

Immediate Action: Upgrade both @payloadcms/graphql and the core payload package to version 3.79.1 or later immediately.

Proactive Monitoring: Review application access logs for suspicious password reset patterns or unauthorized account modifications occurring in close proximity to reset requests.

Compensating Controls: Implement strict rate limiting on the password recovery endpoint to mitigate automated exploitation attempts while the patching process is underway.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

This vulnerability represents a critical failure in authentication logic that mandates immediate attention. Security teams must prioritize the update to version 3.79.1 across all affected deployments to eliminate the risk of session hijacking and unauthorized administrative actions.