CVE-2026-34751
Payload · Payload CMS
A vulnerability in the Payload CMS password recovery flow allows unauthenticated attackers to perform unauthorized actions on behalf of users initiating a password reset.
Executive summary
An unauthenticated vulnerability in Payload CMS enables attackers to hijack user sessions during the password recovery process, posing a critical risk to account integrity.
Vulnerability
This is an authentication bypass vulnerability within the password recovery workflow of Payload CMS. An unauthenticated attacker can exploit this flaw to execute actions as a legitimate user who has initiated a password reset request.
Business impact
The ability for an unauthorized party to act on behalf of a legitimate user constitutes a severe breach of access control. Given the CVSS score of 9.1, this vulnerability could lead to total account takeover, unauthorized data modification, and potential exfiltration of sensitive information, resulting in significant reputational and operational damage.
Remediation
Immediate Action: Upgrade both @payloadcms/graphql and the core payload package to version 3.79.1 or later immediately.
Proactive Monitoring: Review application access logs for suspicious password reset patterns or unauthorized account modifications occurring in close proximity to reset requests.
Compensating Controls: Implement strict rate limiting on the password recovery endpoint to mitigate automated exploitation attempts while the patching process is underway.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability represents a critical failure in authentication logic that mandates immediate attention. Security teams must prioritize the update to version 3.79.1 across all affected deployments to eliminate the risk of session hijacking and unauthorized administrative actions.