Description
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
Published: 2026-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized actions via forged requests
Action: Patch
AI Analysis

Impact

A Cross-Site Request Forgery vulnerability in Payload CMS allows an attacker to forge requests against the authentication flow when the CSRF protection is misconfigured or bypassed. The exploit can execute actions that the authenticated user is authorized to perform, potentially leading to unauthorized data modification or other unintended behavior. The weakness is identified as a CSRF flaw.

Affected Systems

All Payload CMS installations running a version older than 3.79.1 are affected. The vulnerability is present in the default Payload product distributed by payloadcms:payload.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector, inferred from the description, involves an attacker sending crafted HTTP requests to the authentication endpoints of a web application where a victim is already logged in. Because CSRF exploits rely on the victim’s authenticated session, successful execution would allow the attacker to perform privileged actions as that user.

Generated by OpenCVE AI on April 13, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Payload CMS to version 3.79.1 or later
  • Verify that CSRF protection is enabled and correctly configured after the update

Generated by OpenCVE AI on April 13, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p6mr-xf3r-ghq4 Payload has a CSRF Protection Bypass in Authentication Flow
History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
Title Payload has a CSRF Protection Bypass in Authentication Flow
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Payloadcms Payload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T19:46:32.770Z

Reserved: 2026-03-30T19:17:10.224Z

Link: CVE-2026-34749

cve-icon Vulnrichment

Updated: 2026-04-02T14:11:06.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T20:16:27.187

Modified: 2026-04-13T19:13:43.503

Link: CVE-2026-34749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:07Z

Weaknesses