Description
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
Published: 2026-04-01
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SSRF
Action: Patch Now
AI Analysis

Impact

The flaw allows authenticated users with create or update permissions on an upload-enabled collection to persuade the server to perform HTTP requests to arbitrary URLs. This Server‑Side Request Forgery can be used to reach internal or external services, exfiltrate sensitive data or trigger unintended actions, thereby violating confidentiality and availability. The weakness corresponds to CWE‑918, and without remediation it exposes the site to a range of DoS and data leakage scenarios.

Affected Systems

Payload CMS, version 3.78 and earlier. The vulnerability exists in all releases before 3.79.1. An update to 3.79.1 or newer eliminates the flaw.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires a user to be logged in with sufficient collection permissions, so an attacker would need either legitimate credentials or a compromised account. Once authenticated, the SSRF can be triggered via the upload endpoint, enabling outbound connections that the application authority may not intend.

Generated by OpenCVE AI on April 13, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 3.79.1 patch or any newer release from Payload CMS
  • If patching is not immediately possible, restrict the upload-enabled collections to read‑only or remove them from the project
  • Configure the server to deny outbound connections to internal networks or critical services via firewall rules
  • Monitor the upload endpoint for abnormal usage patterns

Generated by OpenCVE AI on April 13, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6r7f-q7f5-wpx8 Payload has Authenticated SSRF via Upload Functionality
History

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
Title Payload has Authenticated SSRF via Upload Functionality
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Payloadcms Payload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:12:09.290Z

Reserved: 2026-03-30T19:17:10.224Z

Link: CVE-2026-34746

cve-icon Vulnrichment

Updated: 2026-04-02T15:12:03.551Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T20:16:26.727

Modified: 2026-04-13T18:52:39.340

Link: CVE-2026-34746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:10Z

Weaknesses