Description
Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.
Published: 2026-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF
Action: Apply Patch
AI Analysis

Impact

This CVE exposes a Server‑Side Request Forgery flaw in the external file upload feature of Payload CMS. The system fails to properly validate HTTP redirects when an external URL is supplied, allowing an authenticated attacker with write permission on an upload‑enabled collection to force the server to request arbitrary internal resources and retrieve their responses. The attacker could thus obtain data from internal services or platforms that should otherwise be unreachable from the public network.

Affected Systems

Payload CMS versions prior to 3.75.0 are vulnerable. All installations of payloadcms:payload that have at least one collection with upload enabled and a user who can create uploads in that collection are affected.

Risk and Exploitability

The CVSS score is 6.5, indicating medium severity, while the EPSS probability is under 1%, signifying a relatively low likelihood of exploitation. The vulnerability is not listed in KEV. Exploitation requires an authenticated session and proper permissions on an upload‑enabled collection; once those conditions are met, the attacker can discover or read data from internal hosts via crafted redirects.

Generated by OpenCVE AI on April 16, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Payload CMS to version 3.75.0 or later to apply the vendor‑issued fix.
  • If an upgrade cannot be performed immediately, set the disableExternalFile option to true on all upload‑enabled collections to stop external URL processing.
  • Otherwise limit create permissions on upload‑enabled collections to trusted or minimal‑privilege users.

Generated by OpenCVE AI on April 16, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hhfx-5x8j-f5f6 Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads
History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload

Tue, 24 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.
Title Payload has Server-Side Request Forgery (SSRF) in External File URL Uploads
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Payloadcms Payload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T19:03:28.091Z

Reserved: 2026-02-20T17:40:28.448Z

Link: CVE-2026-27567

cve-icon Vulnrichment

Updated: 2026-02-27T19:03:23.855Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T15:21:38.273

Modified: 2026-02-26T19:59:33.657

Link: CVE-2026-27567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses