Description
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
Published: 2026-02-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to User Preferences
Action: Patch
AI Analysis

Impact

Prior to version 3.74.0, Payload CMS allows an authorized user to read or delete preference data belonging to users from a different authentication collection when numeric IDs collide. This insecure direct object reference (IDOR) flaw can expose sensitive configuration data and enable destructive actions such as preference deletion. The weakness is classified as CWE-639: Authorization Bypass Through User-Controlled Key.

Affected Systems

Affected products include Payload CMS version 3.73.x and earlier. The vulnerability is present when the system operates in a multi‑auth environment with Postgres or SQLite databases that use default auto‑increment primary keys. Users from distinct authentication collections whose numeric identifiers overlap can exploit the flaw.

Risk and Exploitability

The issue carries a CVSS base score of 5.4, indicating moderate risk, and the EPSS score is very low, under 1%, suggesting current exploitation attempts are unlikely. The flaw is not listed in CISA’s KEV catalog, and no public exploits are known. Attack requires an authenticated user who can identify that a numeric ID collision exists between preference entries in different authentication collections; based on the description, it is inferred that the attacker would need to enumerate or otherwise discover the overlapping IDs before being able to fetch or delete the other users’ preferences through the internal collection API.

Generated by OpenCVE AI on April 18, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Payload CMS to version 3.74.0 or newer, which removes the ID collision handling logic.
  • Reconfigure the database to use globally unique identifiers (UUIDs) instead of sequential numeric IDs for preference entries, ensuring no cross‑collection ID overlap.
  • Add or reinforce application‑level checks that validate the auth collection belonging to the requesting user before exposing or deleting preference data.

Generated by OpenCVE AI on April 18, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jq29-r496-r955 payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)
History

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload

Fri, 06 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
Title Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Payloadcms Payload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:27:32.333Z

Reserved: 2026-02-03T01:02:46.714Z

Link: CVE-2026-25574

cve-icon Vulnrichment

Updated: 2026-02-09T15:19:23.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T22:16:11.740

Modified: 2026-02-20T20:14:13.127

Link: CVE-2026-25574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key