Description
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Authorization is present in PayloadCMS version 3.84.1 because the account unlock operation does not enforce sufficient access control. This flaw allows an attacker who possesses any authenticated user token to use the default unlock endpoint to unlock accounts that should remain locked. As a result, the attacker can gain unauthorized access to those accounts, facilitating account takeover or credential harvesting. The weakness is identified as CWE-307.

Affected Systems

PayloadCMS PayloadCMS version 3.84.1 running on Linux, macOS, or Windows operating systems is affected. Only the listed version is known to contain the flaw.

Risk and Exploitability

The CVSS base score is 5.3, indicating a medium severity. No EPSS data is available, and the vulnerability is not in the CISA KEV catalog. Based on the description, it is inferred that the threat requires an authenticated user and can be executed remotely via the web interface. Because the flaw permits bypassing the lockout mechanism, an attacker can obtain access to user accounts and potentially compromise additional resources, depending on account privileges. Mitigation hinges on enforcing proper authorization for the unlock endpoint and patching the affected release.

Generated by OpenCVE AI on June 26, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest stable release of PayloadCMS that includes the account unlock authorization fix.
  • If an upgrade is not possible immediately, enforce access controls on the unlock endpoints.
  • Monitor logs for unauthorized unlock attempts and audit account status changes regularly.

Generated by OpenCVE AI on June 26, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation.
Title PayloadCMS 3.84.1 - Authenticated account lockout bypass through default unlock access
First Time appeared Payloadcms
Payloadcms payloadcms
Weaknesses CWE-307
CPEs cpe:2.3:a:payloadcms:payloadcms:3.84.1:*:linux:*:*:*:*:*
cpe:2.3:a:payloadcms:payloadcms:3.84.1:*:macos:*:*:*:*:*
cpe:2.3:a:payloadcms:payloadcms:3.84.1:*:windows:*:*:*:*:*
Vendors & Products Payloadcms
Payloadcms payloadcms
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Payloadcms Payloadcms
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-26T17:15:31.958Z

Reserved: 2026-06-09T12:26:37.643Z

Link: CVE-2026-11779

cve-icon Vulnrichment

Updated: 2026-06-26T17:15:15.341Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:15:04Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts